Free Malware Removal Forum

by **doldi** » September 30th, 2008, 1:07 pm

Hi There,
I have folowing error when i start windows>/System32/vdjelepu.dll can not be found.
Also i get self extratcting new e-explorer pages at any time. and my updates are turned of altho i tryed fixing that in forums.The error cod is:0x8ddd0018.
here is the Hijack scan.Please advise.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:50:52 PM, on 9/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\mHotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Wlan\IPN2220\wlan_ui.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
D:\Programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lolaevents.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [484c15da] rundll32.exe "C:\WINDOWS\system32\vdjelepu.dll",b
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] D:\Programs\Uniblue\RegistryBooster\RegistryBooster.exe /S
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - Global Startup: WLAN Configuration Utility.lnk = C:\Program Files\Wlan\IPN2220\wlan_ui.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se5036.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 7380 bytes

Kaspinski antiv scan
Full Scan: completed 9/30/2008 8:30:02 PM (events: 16, objects: 263271, time: 01:12:27)
9/30/2008 6:37:51 PM Task started
9/30/2008 6:40:26 PM Task completed
Full Scan: completed 9/30/2008 8:30:02 PM (events: 16, objects: 263271, time: 01:12:27)
9/30/2008 6:44:16 PM Task started
9/30/2008 6:56:24 PM Task stopped
Full Scan: completed 9/30/2008 8:30:02 PM (events: 16, objects: 263271, time: 01:12:27)
9/30/2008 7:04:12 PM Detected: Trojan.Win32.Agent.afbx C:\System Volume Information\_restore{DDBE82B3-97D3-402F-B859-80387ED35BC4}\RP43\A0016571.dll
9/30/2008 7:01:55 PM Task started
Full Scan: completed 9/30/2008 8:30:02 PM (events: 16, objects: 263271, time: 01:12:27)
9/30/2008 7:43:49 PM Detected: Trojan.JS.Pakes.l C:\Documents and Settings\vali\Local Settings\Temporary Internet Files\Content.IE5\FMX9PROA\index[1].htm
9/30/2008 7:38:33 PM Detected: Trojan.Win32.Agent.afbx C:\Documents and Settings\vali\Local Settings\Temporary Internet Files\Content.IE5\FMX9PROA\upd105320[1]
9/30/2008 7:36:00 PM Detected: Trojan.Win32.Agent.afbx C:\Documents and Settings\vali\Local Settings\Temporary Internet Files\Content.IE5\0OJN6C24\upd105320[1]
9/30/2008 7:19:25 PM Detected: Trojan.Win32.Agent.afbx C:\System Volume Information\_restore{DDBE82B3-97D3-402F-B859-80387ED35BC4}\RP43\A0016599.dll
9/30/2008 8:26:42 PM Detected: http://www.viruslist.com/en/advisories/16239 K:\computervali\Valya\extractions\eMule0.47a\eMule0.47a\emule.exe
9/30/2008 8:06:25 PM Detected: http://www.viruslist.com/en/advisories/25023 C:\Program Files\Adobe\Adobe After Effects CS3\Support Files\Plug-ins\Format\BMP.8bi
9/30/2008 7:29:25 PM Detected: http://www.viruslist.com/en/advisories/26027 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\flash.ocx
9/30/2008 7:23:58 PM Detected: http://www.viruslist.com/en/advisories/26027 C:\WINDOWS\system32\Macromed\Flash\flash.ocx
9/30/2008 8:06:41 PM Detected: http://www.viruslist.com/en/advisories/28083 C:\Program Files\Adobe\Adobe Bridge CS3\browser\plugins\NPSWF32.dll
9/30/2008 7:23:58 PM Detected: http://www.viruslist.com/en/advisories/28083 C:\WINDOWS\system32\Macromed\Flash\Flash9d.ocx
9/30/2008 8:30:02 PM Task completed
9/30/2008 7:17:35 PM Task started
9/30/2008 7:43:49 PM Untreated: Trojan.JS.Pakes.l C:\Documents and Settings\vali\Local Settings\Temporary Internet Files\Content.IE5\FMX9PROA\index[1].htm Postponed
9/30/2008 7:39:23 PM Untreated: Trojan.Win32.Agent.afbx C:\Documents and Settings\vali\Local Settings\Temporary Internet Files\Content.IE5\FMX9PROA\upd105320[1] Postponed
9/30/2008 7:36:50 PM Untreated: Trojan.Win32.Agent.afbx C:\Documents and Settings\vali\Local Settings\Temporary Internet Files\Content.IE5\0OJN6C24\upd105320[1] Postponed
9/30/2008 7:20:25 PM Untreated: Trojan.Win32.Agent.afbx C:\System Volume Information\_restore{DDBE82B3-97D3-402F-B859-80387ED35BC4}\RP43\A0016599.dll Postponed
Full Scan: completed 9/30/2008 8:30:02 PM (events: 16, objects: 263271, time: 01:12:27)
9/30/2008 9:18:54 PM Task started
9/30/2008 9:19:16 PM Task completed

by **John B.** » October 2nd, 2008, 2:20 pm

Hi!

and welcome to the Malware Removal forums.
My name is John Brouwer - if it helps, you can call me John for short. I'll be glad to help you with your computer problems.

HijackThis logs can take some time to research, so please be patient with me. I know that you need
your computer working as quickly as possible, and I will work hard to help see that happens.

These rules are good for you to know:

I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for this issue on this machine.
It's often worth reading through these instructions and printing them for ease of reference.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
If you don't reply within five days after my last instructions this topic will be closed. If you will not be able to reply within five days please tell me so the topic will not be closed.

These rules are to make my voluntary work more comfortable:

Please be patient. The work I do is voluntary and I also have a private life (school, work, friends and hobbies).
Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
Please reply to this thread. Do not start a new topic.
Also, don't post logs as attachments. Other helpers like to view the logs as well and opening a lot of attachments is irritating. It can also contain malware.

Finally, please make a uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

Start HijackThis
Click on the Open The Misc Tool Section button
Click on the Open Uninstall Manager button.
Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Save the file to your desktop and post the contents in a reply to this topic.

Greets, John.

by **doldi** » October 2nd, 2008, 7:12 pm

Hi John,

Thanks in advance and lets get going.Oh, and just to mantion that my windows updates are not working.

Uninstal_list:

4oD
Acrobat.com
Acrobat.com
Adobe After Effects CS3
Adobe After Effects CS3
Adobe After Effects CS3 Presets
Adobe AIR
Adobe AIR
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player ActiveX
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Illustrator CS3
Adobe Illustrator CS3
Adobe Linguistics CS3
Adobe MotionPicture Color Files
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Photoshop CS3
Adobe Premiere Pro CS3
Adobe Setup
Adobe Setup
Adobe Setup
Adobe Setup
Adobe Setup
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe Video Profiles
Adobe WinSoft Linguistics Plugin
Adobe XMP DVA Panels CS3
Adobe XMP Panels CS3
Apple Mobile Device Support
Apple Software Update
BisonCam, USB2.0
ESET NOD32 Antivirus
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
iTunes
Kaspersky Internet Security 2009
Kaspersky Internet Security 2009
Magic ISO Maker v5.4 (build 0245)
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (2.0.0.17)
Multimedia / Internet Keyboard Driver VerR8.16
NVIDIA Drivers
PDF Settings
PowerISO
QuickTime
RealPlayer
REALTEK Gigabit and Fast Ethernet NIC Driver
Realtek High Definition Audio Driver
Security Update for 2007 Microsoft Office System (KB951596)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Microsoft Office Excel 2007 (KB951546)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB951808)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office Word 2007 (KB950113)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Skype™ 3.8
Smart Link 56K Voice Modem
Synaptics Pointing Device Driver
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Office 2007 (KB934391)
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb956080)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
WIDCOMM Bluetooth Software
Windows Live installer
Windows Live Messenger

by **John B.** » October 3rd, 2008, 4:12 pm

I am sorry I have not replied today. Friday is the busiest day in the week for me with no free time until now. Within 16 hours I will reply, after I have slept

by **doldi** » October 3rd, 2008, 8:44 pm

Good morning John,
I am busy myself, so not to wary as fare as we get the job dun.
Kill the spyes,right!? :compress:

by **John B.** » October 4th, 2008, 5:47 am

Hi,

Kill the spyes,right!?

That's right. With tired eyes this becomes very dangerous, but now I am ready

In your logs I saw a couple of things that have to be done first. I also see which you infection you have.
Step 1: Remove P2P Programs
In your HijackThis log I saw traces from BitTorrent, but in your uninstall log I couldn't find it. In case you still have it, please read this:

Remove P2P programs - MalWare Removal has a policy on P2P programs installed:

Use of P2P (Person to Person) file sharing programs

We have noticed that most people seeking help from us are coming with infections contracted from the use of P2P programs.

Because of this, we felt we needed to change our policy on the use of P2P file sharing programs.
If your helper detects the presence of such programs on your computer he/she will ask you to remove them. We will withdraw our help should you not agree to their removal.
If we clean your computer of infection, and you return to us a short time later with an infection contracted by the use of P2P programmes, we will refuse our help.

We do not ask you to do this without reason.

P2P programs form a direct conduit onto your computer, their security measures are easily circumvented, and Malware writers are increasingly exploiting them to spread their wares onto your computer. Further to that, if your P2P programme is not configured correctly you may be sharing more files than you realise. There have been cases where people's Passwords, Address Books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured programme.

This article from InfoWorld illustrates perfectly the dangers of a poorly configured P2P program.
http://www.infoworld.com/article/07/09/06/Seattle-man-arrested-for-p-to-p-ID-theft_1.html

Many of the programs come bundled with other unwanted programs, but even the ones free of any bundled software are not safe to use.

When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Hardly surprising then that many of these Downloads are being targeted to carry infections.

We see no purpose in cleaning your machine if you use P2P programs, as it is pretty much certain that if you continue to use them then you will get infected again.

You have the following P2P program(s) installed:
BitTorrent

This is how you uninstall it/them:

Click Start
Go to Control Panel
Go to Add/Remove Programs
Find and click Remove for the following (if present):

BitTorrent

Note: Take care when answering any questions posed by an uninstaller. Some questions may be worded to deceive you into keeping the program.

Step 2: Disable one of your Anti Virus programs.
You are operating your computer with multiple Anti Virus programs running in memory at once:
AntiVir (HijackThis log)
Kaspersky Internet Security 2009 (Uninstall log)
NOD32 (Uninstall log)

Anti-virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash.

If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.

There are basically two types of these programs:
On-Access and On-Demand

On-Access Scanners
As the name implies, it runs in the background all the time the PC is turned on and running. The main function of an on-access scanner is to monitor activity on your machine.

On-Demand Scanners
As the name implies, are scanners that only run when you ask them to.
Such as:
Online Scans and scanners that run on your machine but are not actively scanning your machine.

Please disable one or the other so they do not conflict. I recommend keeping Kaspersky Internet Security 2009 running as it has both a good On-Access scanner and a built-in firewall. This means you wouldn't have to install a third-party firewall, which you would probably have to when keeping AntiVir or NOD32.

Step 3: Move HijackThis
You currently are running HijackThis from here:
D:\Programs\HijackThis.exe

Please make a folder there:
D:\Programs\HijackThis
and place HijackThis.exe in that folder.

Step 4: Rename HijackThis
There is probably an infection which is hiding part of the HijackThis log because it's called hijackthis.exe.
Please rename hijackthis.exe to goodscanner.exe

Step 5: Post logs
Please post the following logs in a reply to this topic:

New HijackThis log
New Uninstall log

Greets, John.

by **doldi** » October 4th, 2008, 1:31 pm

Hi John,
I have delited the torent software and i am aware tha i did got infected with it and i am selfaware.
I delited karpenski or so simply becouse i have lisence for Nood antiviros.Perhaps i need thirity firewal u deside.ps.wher do i get it from.
Here is the lof of Hijack wich ahs been renamed to goodskaner.
many thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:27:25 PM, on 10/4/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\mHotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Kontiki\KHost.exe
D:\Programs\iTunesHelper.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Wlan\IPN2220\wlan_ui.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
D:\Programs\Hijack This\goodscaner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lolaevents.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {33AC7D18-DC35-4D1A-940E-AFD5FC5C3327} - C:\WINDOWS\system32\cbXRKCvT.dll
O2 - BHO: (no name) - {4A1E7A41-7B76-4991-B5E7-8A1CBC2C808E} - C:\WINDOWS\system32\khfGyXnk.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [484c15da] rundll32.exe "C:\WINDOWS\system32\vdjelepu.dll",b
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Programs\iTunesHelper.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] D:\Programs\Uniblue\RegistryBooster\RegistryBooster.exe /S
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - Global Startup: WLAN Configuration Utility.lnk = C:\Program Files\Wlan\IPN2220\wlan_ui.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se5036.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: cbXRKCvT - C:\WINDOWS\SYSTEM32\cbXRKCvT.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 8293 bytes

by **John B.** » October 4th, 2008, 2:08 pm

Hi,

BitTorrent still seems to be present. It could also have the name of DNA in your uninstall list. After you have fully removed it please post a fresh HijackThis log and a fresh uninstall log.

Greets, John.

by **doldi** » October 5th, 2008, 5:16 pm

Hi there.That is done now.here it is:

4oD
Acrobat.com
Acrobat.com
Adobe After Effects CS3
Adobe After Effects CS3
Adobe After Effects CS3 Presets
Adobe AIR
Adobe AIR
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player ActiveX
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Illustrator CS3
Adobe Illustrator CS3
Adobe Linguistics CS3
Adobe MotionPicture Color Files
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Photoshop CS3
Adobe Premiere Pro CS3
Adobe Setup
Adobe Setup
Adobe Setup
Adobe Setup
Adobe Setup
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe Video Profiles
Adobe WinSoft Linguistics Plugin
Adobe XMP DVA Panels CS3
Adobe XMP Panels CS3
Apple Mobile Device Support
Apple Software Update
BisonCam, USB2.0
ESET NOD32 Antivirus
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
iTunes
Magic ISO Maker v5.4 (build 0245)
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (2.0.0.17)
Multimedia / Internet Keyboard Driver VerR8.16
NVIDIA Drivers
PDF Settings
PowerISO
QuickTime
RealPlayer
REALTEK Gigabit and Fast Ethernet NIC Driver
Realtek High Definition Audio Driver
Security Update for 2007 Microsoft Office System (KB951596)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Microsoft Office Excel 2007 (KB951546)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB951808)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office Word 2007 (KB950113)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Skype™ 3.8
Smart Link 56K Voice Modem
Synaptics Pointing Device Driver
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Office 2007 (KB934391)
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb956080)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
VLC media player 0.9.2
WIDCOMM Bluetooth Software
Windows Live installer
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
Wireless 11g Adaptor Driver and Utilities

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:16:03 PM, on 10/5/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\mHotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Kontiki\KHost.exe
D:\Programs\iTunesHelper.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Wlan\IPN2220\wlan_ui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Programs\Hijack This\goodscaner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lolaevents.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {33AC7D18-DC35-4D1A-940E-AFD5FC5C3327} - C:\WINDOWS\system32\cbXRKCvT.dll
O2 - BHO: (no name) - {4A1E7A41-7B76-4991-B5E7-8A1CBC2C808E} - C:\WINDOWS\system32\khfGyXnk.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [484c15da] rundll32.exe "C:\WINDOWS\system32\vdjelepu.dll",b
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Programs\iTunesHelper.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] D:\Programs\Uniblue\RegistryBooster\RegistryBooster.exe /S
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - Global Startup: WLAN Configuration Utility.lnk = C:\Program Files\Wlan\IPN2220\wlan_ui.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se5036.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: cbXRKCvT - C:\WINDOWS\SYSTEM32\cbXRKCvT.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 8169 bytes
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:16:03 PM, on 10/5/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\mHotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Kontiki\KHost.exe
D:\Programs\iTunesHelper.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Wlan\IPN2220\wlan_ui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Programs\Hijack This\goodscaner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lolaevents.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {33AC7D18-DC35-4D1A-940E-AFD5FC5C3327} - C:\WINDOWS\system32\cbXRKCvT.dll
O2 - BHO: (no name) - {4A1E7A41-7B76-4991-B5E7-8A1CBC2C808E} - C:\WINDOWS\system32\khfGyXnk.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [484c15da] rundll32.exe "C:\WINDOWS\system32\vdjelepu.dll",b
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Programs\iTunesHelper.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] D:\Programs\Uniblue\RegistryBooster\RegistryBooster.exe /S
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - Global Startup: WLAN Configuration Utility.lnk = C:\Program Files\Wlan\IPN2220\wlan_ui.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se5036.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: cbXRKCvT - C:\WINDOWS\SYSTEM32\cbXRKCvT.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 8169 bytes

by **John B.** » October 6th, 2008, 11:13 am

Hi,

Looks good!

Let's start with the removal.

You aren't running Firewall Software. Please download and install one of them first!

Use a Firewall - Using a Firewall on your computer can be very important. Without a firewall your computer is susceptible to being hacked and taken over. There are some different situations you can be in where a third-party firewall may or may not be a good addition to your system:

If you are not using Windows XP or Vista, but an older version I recommend you to use a firewall.
If you are using Windows XP or Vista, but are on dial-up I recommend you to use a firewall.
If you are using Windows XP or Vista and are using broadband, but are not experienced in using firewalls and getting the choice to allow or disallow things I recommend you to use Windows Firewall.
If you are using Windows XP or Vista, are using broadband and experienced, I recommend you to disable Windows Firewall (as it is not perfect) and get a third-party firewall.

Here are some firewalls which are free for personal use and most used:
Kerio Personal Firewall (Free version after 30 days)
Online Armor Free

Or you could buy their paid version online or in a shop nearby:
Kerio Personal Firewall (Continue paid version after 30 days)
Online Armor v2

As you did this, we can begin with the fix.

Step 1: Upload malware for scanning
I'd like you to check a file for malware.

Go to VirusTotal or Jotti's

D:\Programs\iTunesHelper.exe

Copy/Paste the file on the list into the white Upload a file box.
Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
After a while, a window will open, with details of what the scans found.
Save the complete results in a Notepad/Word document on your desktop.

Step 2: Download and Run ComboFix
Before you download the newest version of ComboFix please make sure there's no older version of ComboFix on your desktop! If there is one, please delete it.

Download Combofix from any of the links below, and save it to your desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Note: It is important that it is saved directly to your desktop!

Now close any open browsers. Also close/disable your anti virus so it does not interfere with the running of ComboFix. For information on how to do that for your program see this webpage:
http://www.bleepingcomputer.com/forums/topic114351.html
Also disconnect from the internet as you can get infected very easily with your anti virus disabled.

Double click on combofix.exe & follow the prompts. Do not mouseclick combofix's window while it's running. That may cause it to stall.

When finished, it will produce a report for you. This report will also be saved in C:\ComboFix.txt

Note: Remember to re-enable your anti virus program.

Step 3: Post logs
Please post the following logs in a reply to this topic:

New HijackThis log
Virustotal/Jotti results
ComboFix log

Greets, John.

by **doldi** » October 6th, 2008, 2:39 pm

Hi there,

I have instoled the Online Armor v2 and after did folfow your instructions for ComboFix.
Now when i go to C:/comboFix is a folder and in there i saw few text files.I am posting here the one i told could be relevant but i feel a bit confused here.

ComboFix 08-10-06.01 - vali 2008-10-06 19:20:32.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2270 [GMT 1:00]
Running from: C:\Documents and Settings\vali\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

The Virus total result is:
Additional information
File size: 289576 bytes
MD5...: a7fa648719063b234a434a089fc0f49d
SHA1..: 65b7190c139ad06092480bd502918eeb3115d94e
SHA256: 544edfeb784b4a77483c16130129fd43faa2a39042c86da09e17e1274c024862
SHA512: b7e309ed78a113cc8663711f401cbf4aeb169ace8b5c0eb4385f30aa505a0928
23299e5cceac38fc2668239b5fcd6d39a7281c1a9c06932749bfdd655ef6664e
PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x411b41
timedatestamp.....: 0x48c5fda7 (Tue Sep 09 04:37:59 2008)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x1fa28 0x1fc00 6.62 f7606c21e6174c896f95ff2c5a8d1fd6
.rdata 0x21000 0x7d82 0x7e00 5.36 5c517f597e50fde9999a1f0e768a843a
.data 0x29000 0x3e40 0x2000 4.10 bc5c3a3808d2a1f868c9047a80c09764
.rsrc 0x2d000 0x16f68 0x17000 5.35 ab6b3268bd420eeb2a8cec8c7b24ee3b
.reloc 0x44000 0x46e2 0x4800 4.03 0ce68e73dd10d1fc63f58ccc3f6e11f3

( 9 imports )
> VERSION.dll: GetFileVersionInfoA, GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueA, GetFileVersionInfoSizeA
> WININET.dll: HttpSendRequestA, InternetCloseHandle, InternetConnectA, InternetOpenA, InternetReadFile, InternetQueryDataAvailable, HttpQueryInfoA, HttpOpenRequestA, InternetGetConnectedState
> SETUPAPI.dll: SetupDiDestroyDeviceInfoList, CM_Get_Device_IDW, SetupDiGetDeviceRegistryPropertyW, SetupDiGetClassDevsW, SetupDiEnumDeviceInfo
> KERNEL32.dll: LCMapStringW, LCMapStringA, HeapSize, GetStdHandle, ExitProcess, HeapCreate, HeapDestroy, GetConsoleMode, GetConsoleCP, MultiByteToWideChar, WideCharToMultiByte, lstrlenW, RaiseException, InitializeCriticalSection, DeleteCriticalSection, GetLastError, lstrlenA, lstrcmpiA, EnterCriticalSection, LeaveCriticalSection, GetCurrentThreadId, IsDBCSLeadByte, GetModuleFileNameA, InterlockedIncrement, InterlockedDecrement, FreeLibrary, SizeofResource, LoadResource, FindResourceA, LoadLibraryExA, GetModuleHandleA, ResetEvent, SetEvent, GetCommandLineA, CloseHandle, CreateEventA, CreateProcessA, Sleep, WaitForMultipleObjects, CreateEventW, WaitForSingleObject, CreateThread, FlushInstructionCache, GetCurrentProcess, Process32Next, Process32First, CreateToolhelp32Snapshot, SetLastError, WriteFile, SetFilePointer, CreateFileA, ProcessIdToSessionId, GetCurrentProcessId, TerminateThread, GetExitCodeThread, SetStdHandle, FlushFileBuffers, CreateFileW, OutputDebugStringA, GetModuleFileNameW, DebugBreak, GlobalFree, GlobalAlloc, GetLocaleInfoW, GetUserDefaultLCID, GetSystemDefaultLangID, LoadLibraryW, GetProcAddress, VerifyVersionInfoA, VerSetConditionMask, LoadLibraryA, CreateMutexW, HeapSetInformation, ReleaseMutex, CreateMutexA, GetSystemDirectoryA, TlsFree, TlsSetValue, TlsAlloc, TlsGetValue, IsValidCodePage, GetOEMCP, GetCPInfo, GetFileAttributesA, GetStartupInfoA, IsDebuggerPresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, GetLocalTime, GetTickCount, ExitThread, GetSystemTimeAsFileTime, GetTimeZoneInformation, HeapReAlloc, RtlUnwind, VirtualQuery, GetSystemInfo, VirtualProtect, VirtualAlloc, VirtualFree, IsProcessorFeaturePresent, HeapAlloc, GetProcessHeap, HeapFree, InterlockedCompareExchange, GetVersionExA, GetThreadLocale, GetLocaleInfoA, GetACP, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CompareStringA, CompareStringW, SetEnvironmentVariableA, FreeEnvironmentStringsA, QueryPerformanceCounter, GetFileType, SetHandleCount, GetEnvironmentStringsW, FreeEnvironmentStringsW, CopyFileW, GetEnvironmentStrings, GetStringTypeW, GetStringTypeA, InterlockedExchange
> USER32.dll: SetPropA, GetDesktopWindow, MessageBeep, CreateDialogParamA, GetForegroundWindow, GetWindowThreadProcessId, AttachThreadInput, IsIconic, SetForegroundWindow, PostQuitMessage, ShowWindow, DefWindowProcA, DispatchMessageA, TranslateMessage, PostThreadMessageA, CharUpperA, SetWindowLongA, UnhookWindowsHookEx, SetWindowsHookExA, DestroyWindow, CallNextHookEx, CharNextA, SetDlgItemTextA, SendDlgItemMessageA, SetWindowTextA, PostMessageA, GetPropA, CreateWindowExA, RegisterClassA, KillTimer, LoadStringA, wsprintfA, GetMessageA, UnregisterClassA, SendMessageA
> ADVAPI32.dll: RegOpenKeyW, RegQueryValueExW, RegQueryValueExA, GetUserNameA, RegEnumKeyExA, RegQueryInfoKeyA, RegSetValueExA, RegOpenKeyExA, RegCreateKeyExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, RegOpenKeyExW
> ole32.dll: CoInitialize, CoRegisterClassObject, CoTaskMemAlloc, CoTaskMemRealloc, CoTaskMemFree, StringFromGUID2, CoCreateInstance, CoRevokeClassObject, CoUninitialize, CoInitializeEx, GetRunningObjectTable, CreateClassMoniker
> OLEAUT32.dll: -, -, -, -, -, -, -, -, -, -, -, -
> SHLWAPI.dll: PathFileExistsA

( 0 exports )

and finaly the HiJack this:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:38, on 2008-10-06
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
D:\Programs\Online Armor\oasrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\mHotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Kontiki\KHost.exe
D:\Programs\iTunesHelper.exe
D:\Programs\Online Armor\oaui.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Wlan\IPN2220\wlan_ui.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
D:\Programs\Hijack This\goodscaner.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lolaevents.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {33AC7D18-DC35-4D1A-940E-AFD5FC5C3327} - C:\WINDOWS\system32\cbXRKCvT.dll
O2 - BHO: (no name) - {4A1E7A41-7B76-4991-B5E7-8A1CBC2C808E} - C:\WINDOWS\system32\khfGyXnk.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [484c15da] rundll32.exe "C:\WINDOWS\system32\vdjelepu.dll",b
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Programs\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [OnlineArmor GUI] "D:\Programs\Online Armor\oaui.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] D:\Programs\Uniblue\RegistryBooster\RegistryBooster.exe /S
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - Global Startup: WLAN Configuration Utility.lnk = C:\Program Files\Wlan\IPN2220\wlan_ui.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se5036.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: cbXRKCvT - C:\WINDOWS\SYSTEM32\cbXRKCvT.dll
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - D:\Programs\Online Armor\oasrv.exe

--
End of file - 8199 bytes

Many thanks
.

by **John B.** » October 7th, 2008, 1:48 am

Hi,

Please go to your hard drive C:\ and there should be a file called ComboFix.txt. Also, you only posted the additional information of the Virustotal results. Please post the whole thing, so also which Anti Virus thought the file is infected. If you can't find that anymore scan the file again at Virustotal.

Please post the ComboFix.txt and the COMPLETE results from Virustotal.

Greets, John.

by **doldi** » October 7th, 2008, 7:09 am

Hi john,

I did run the combofix again and here is the file that i could not find before.

ComboFix 08-10-06.01 - vali 2008-10-07 11:59:50.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2290 [GMT 1:00]
Running from: C:\Documents and Settings\vali\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\WINDOWS\system32\agxjkwcg.ini
C:\WINDOWS\system32\bhraspsi.ini
C:\WINDOWS\system32\fccaWOEW.dll
C:\WINDOWS\system32\knXyGfhk.ini
C:\WINDOWS\system32\knXyGfhk.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\refbrbcv.ini
C:\WINDOWS\system32\tbpgomms.ini
C:\WINDOWS\system32\upelejdv.ini
C:\WINDOWS\system32\vatpdchi.ini
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-09-07 to 2008-10-07 )))))))))))))))))))))))))))))))
.

2008-10-07 11:43 . 2008-10-07 11:43 324,564 --a------ C:\WINDOWS\system32\tuvTmMeE.dll
2008-10-06 21:29 . 2008-10-06 21:29 324,564 --a------ C:\WINDOWS\system32\ljJAQGxw.dll
2008-10-06 20:29 . 2008-10-06 20:29 324,564 --a------ C:\WINDOWS\system32\khfGwWOG.dll
2008-10-06 18:47 . 2008-10-06 18:47 <DIR> d-------- C:\Documents and Settings\vali\Application Data\OnlineArmor
2008-10-06 18:47 . 2008-10-06 18:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\OnlineArmor
2008-10-06 18:47 . 2008-04-17 05:25 80,584 --a------ C:\WINDOWS\system32\drivers\OADriver.sys
2008-10-06 18:47 . 2008-04-17 05:25 32,456 --a------ C:\WINDOWS\system32\drivers\OAmon.sys
2008-10-06 18:47 . 2008-04-17 05:25 28,872 --a------ C:\WINDOWS\system32\drivers\oanet.sys
2008-10-06 16:36 . 2008-10-06 16:37 324,564 --a------ C:\WINDOWS\system32\ljjIaWOf.dll
2008-10-06 15:56 . 2008-10-06 15:56 <DIR> d-------- C:\Documents and Settings\vali\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2008-10-06 13:36 . 2008-10-06 13:36 324,564 --a------ C:\WINDOWS\system32\pMDuSMDu.dll
2008-10-05 22:00 . 2008-10-05 22:00 325,982 --a------ C:\WINDOWS\system32\urqPfgEx.dll
2008-10-05 21:00 . 2008-10-05 21:00 325,982 --a------ C:\WINDOWS\system32\geBqOHAQ.dll
2008-10-05 20:00 . 2008-10-05 20:00 325,982 --a------ C:\WINDOWS\system32\urqOHAQh.dll
2008-10-05 19:00 . 2008-10-05 19:00 325,982 --a------ C:\WINDOWS\system32\rqRIxwTN.dll
2008-10-05 16:00 . 2008-10-05 16:00 325,982 --a------ C:\WINDOWS\system32\urqOEwVo.dll
2008-10-05 15:00 . 2008-10-05 15:00 325,666 --a------ C:\WINDOWS\system32\efcAPICU.dll
2008-10-05 14:28 . 2008-10-05 14:28 <DIR> d-------- C:\Documents and Settings\vali\Application Data\dvdcss
2008-10-05 14:27 . 2008-10-05 14:27 <DIR> d-------- C:\Program Files\VideoLAN
2008-10-05 14:19 . 2008-10-05 14:19 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-10-05 14:09 . 2008-10-05 14:09 0 --a------ C:\WINDOWS\iPlayer.INI
2008-10-05 14:06 . 2008-10-05 14:06 <DIR> d-------- C:\Program Files\InterActual
2008-10-05 14:00 . 2008-10-05 14:00 325,982 --a------ C:\WINDOWS\system32\ddcCRHYr.dll
2008-10-04 19:26 . 2008-10-04 19:26 324,564 --a------ C:\WINDOWS\system32\jkkJaAqP.dll
2008-10-04 18:11 . 2008-10-04 18:11 324,564 --a------ C:\WINDOWS\system32\mlJAtQGa.dll
2008-10-01 21:18 . 2008-10-01 21:18 <DIR> d--hs---- C:\FOUND.003
2008-09-30 22:53 . 2008-09-30 22:53 <DIR> d-------- C:\Program Files\iPod
2008-09-30 22:53 . 2008-09-30 22:53 <DIR> d-------- C:\Documents and Settings\vali\Application Data\Apple Computer
2008-09-30 22:53 . 2008-09-30 22:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-09-30 22:53 . 2008-04-17 13:12 107,368 --a------ C:\WINDOWS\system32\GEARAspi.dll
2008-09-30 22:53 . 2008-04-17 13:12 15,464 --a------ C:\WINDOWS\system32\drivers\GEARAspiWDM.sys
2008-09-30 22:52 . 2008-09-30 22:52 <DIR> d-------- C:\Program Files\QuickTime
2008-09-30 22:52 . 2008-09-30 22:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-09-30 22:51 . 2008-09-30 22:51 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-09-30 21:54 . 2008-09-30 21:54 <DIR> d--hs---- C:\FOUND.002
2008-09-30 19:09 . 2008-09-30 19:09 <DIR> d--hs---- C:\FOUND.001
2008-09-30 18:28 . 2008-09-30 18:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-09-30 17:23 . 2008-09-30 17:23 <DIR> d--hs---- C:\FOUND.000
2008-09-29 21:43 . 2008-09-29 21:43 <DIR> d-------- C:\Program Files\Kontiki
2008-09-29 11:33 . 2008-09-29 11:33 <DIR> d-------- C:\Documents and Settings\vali\Application Data\Uniblue
2008-09-27 18:43 . 2008-09-27 18:43 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-09-26 16:57 . 2008-09-26 16:57 <DIR> d-------- C:\WINDOWS\Bs350u2
2008-09-26 16:57 . 2004-12-02 20:23 605,312 --a------ C:\WINDOWS\system32\drivers\Bs350u2.sys
2008-09-26 16:57 . 2004-10-07 20:38 81,920 --a------ C:\WINDOWS\system\vfwExtC.dll
2008-09-26 16:57 . 2004-10-07 20:25 77,824 --a------ C:\WINDOWS\system\FiltProp.dll
2008-09-26 16:57 . 2004-11-29 12:36 40,960 --a------ C:\WINDOWS\Bs350u2r.exe
2008-09-26 16:57 . 2003-09-22 13:49 15,190 --a------ C:\WINDOWS\M1000Twn.ini
2008-09-26 16:57 . 2003-09-22 14:36 13,448 --a------ C:\WINDOWS\M1000Twn.src
2008-09-26 16:57 . 2004-06-17 22:23 12,537 --a------ C:\WINDOWS\system\S10H0110.csr
2008-09-26 16:57 . 2004-06-26 17:39 11,528 --a------ C:\WINDOWS\system\S10F0110.csr
2008-09-26 16:57 . 2004-06-16 20:38 3,031 --a------ C:\WINDOWS\system32\drivers\C10H0110.bin
2008-09-26 16:57 . 2004-06-16 20:38 3,031 --a------ C:\WINDOWS\system32\drivers\C10F0110.bin
2008-09-26 14:56 . 2008-09-26 14:56 <DIR> d-------- C:\Program Files\MagicDisc
2008-09-24 13:07 . 2008-09-24 13:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-05 13:19 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-10-05 13:19 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-09-04 13:03 --------- d-----w C:\Program Files\Common Files\Adobe AIR
2008-09-04 12:58 --------- d-----w C:\Program Files\NOS
2008-09-04 12:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\NOS
2008-09-04 11:15 --------- d-----w C:\Program Files\PowerISO
2008-09-04 11:02 --------- d-----w C:\Documents and Settings\vali\Application Data\Canon
2008-09-03 23:49 --------- d-----w C:\Program Files\Apple Software Update
2008-09-03 23:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-09-03 14:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\ALM
2008-09-03 14:02 --------- d-----w C:\Program Files\Bonjour
2008-09-03 13:58 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-09-03 13:42 --------- d-----w C:\Program Files\MagicISO
2008-09-02 22:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-09-02 21:50 --------- d-----w C:\Program Files\Common Files\Adobe
2008-09-02 17:41 --------- d-----w C:\Program Files\DNA
2008-09-01 12:00 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-09-01 11:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-09-01 11:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Channel4
2008-08-29 21:09 --------- d-----w C:\Program Files\Real
2008-08-29 21:09 --------- d-----w C:\Program Files\Common Files\Real
2008-08-29 19:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Windows Live Toolbar
2008-08-29 09:18 87,336 ----a-w C:\WINDOWS\system32\dns-sd.exe
2008-08-29 08:53 61,440 ----a-w C:\WINDOWS\system32\dnssd.dll
2008-08-28 22:46 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-08-28 22:43 --------- d-sh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-08-28 22:42 --------- d-----w C:\Program Files\Windows Live
2008-08-28 22:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-08-28 22:38 --------- d-----w C:\Documents and Settings\vali\Application Data\skypePM
2008-08-28 22:37 --------- d-----w C:\Program Files\Skype
2008-08-28 22:37 --------- d-----w C:\Program Files\Google
2008-08-28 22:37 --------- d-----w C:\Program Files\Common Files\Skype
2008-08-28 22:37 --------- d-----w C:\Documents and Settings\vali\Application Data\Skype
2008-08-28 22:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-08-28 22:11 --------- d-----w C:\Program Files\ESET
2008-08-28 22:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\ESET
2008-08-28 19:57 --------- d-----w C:\Program Files\WIDCOMM
2008-08-28 19:56 --------- d-----w C:\Program Files\Wlan
2008-08-28 19:53 --------- d-----w C:\Program Files\Synaptics
2008-08-28 19:44 --------- d-----w C:\Program Files\Realtek
2008-08-28 19:41 --------- d-----w C:\Program Files\Intel
2008-08-28 19:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-28 19:40 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-08-28 19:32 --------- d-----w C:\Program Files\microsoft frontpage
2008-08-18 12:27 34,312 ----a-w C:\WINDOWS\system32\drivers\epfwtdir.sys
2008-08-18 12:19 53,256 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
2008-08-18 12:18 39,944 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
2008-07-18 21:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-18 21:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 21:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 21:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-18 21:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 21:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 21:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2008-07-18 21:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 21:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2008-07-18 21:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 21:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-18 21:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 21:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2008-07-18 21:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 21:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2008-07-18 21:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-18 21:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:26 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{33AC7D18-DC35-4D1A-940E-AFD5FC5C3327}]
2006-01-26 16:39 38272 --a------ C:\WINDOWS\system32\cbXRKCvT.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-08-12 21741864]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-08-28 171448]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 1032640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-04-29 5898240]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-04-29 102490]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-04-29 708698]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-08-18 1447168]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2006-09-09 196608]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"4oD"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 1032640]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="D:\Programs\iTunesHelper.exe" [2008-09-10 289576]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"OnlineArmor GUI"="D:\Programs\Online Armor\oaui.exe" [2008-04-17 5545536]
"PtiuPbmd"="ptipbm.dll" [2005-01-14 C:\WINDOWS\system32\ptipbm.dll]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-08-12 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-04-29 C:\WINDOWS\SoundMan.exe]
"AlcWzrd"="ALCWZRD.EXE" [2005-04-29 C:\WINDOWS\ALCWZRD.EXE]
"nwiz"="nwiz.exe" [2005-04-29 C:\WINDOWS\system32\nwiz.exe]
"CHotkey"="mHotkey.exe" [2001-12-26 C:\WINDOWS\mHotkey.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
WLAN Configuration Utility.lnk - C:\Program Files\Wlan\IPN2220\wlan_ui.exe [2004-11-08 454656]
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-03-03 512061]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{33AC7D18-DC35-4D1A-940E-AFD5FC5C3327}"= "C:\WINDOWS\system32\cbXRKCvT.dll" [2006-01-26 38272]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbXRKCvT]
2006-01-26 16:39 38272 C:\WINDOWS\system32\cbXRKCvT.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\System32\\USMT\\MIGWIZ.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"D:\\Programs\\iTunes.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-08-18 34312]
R1 OADevice;OADriver;C:\WINDOWS\system32\drivers\OADriver.sys [2008-04-17 80584]
R1 OAmon;OAmon;C:\WINDOWS\system32\drivers\OAmon.sys [2008-04-17 32456]
R1 OAnet;OAnet;C:\WINDOWS\system32\drivers\OAnet.sys [2008-04-17 28872]
R3 Slazldrv;SmartLink AMR_PCI Driver;C:\WINDOWS\system32\DRIVERS\SLDRV\slazldrv.sys [2005-04-29 230448]
S2 SvcOnlineArmor;Online Armor;D:\Programs\Online Armor\oasrv.exe [2008-04-17 5435968]
S3 CB54G3;Wireless CB54G3/MP54G3 Wireless LAN Card Driver;C:\WINDOWS\system32\DRIVERS\i2220ntx.sys [2004-04-27 148480]
.
Contents of the 'Scheduled Tasks' folder

2008-09-10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -

BHO-{4A1E7A41-7B76-4991-B5E7-8A1CBC2C808E} - C:\WINDOWS\system32\khfGyXnk.dll
HKCU-Run-Uniblue RegistryBooster 2009 - D:\Programs\Uniblue\RegistryBooster\RegistryBooster.exe
HKLM-Run-484c15da - C:\WINDOWS\system32\vdjelepu.dll

.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\vali\Application Data\Mozilla\Firefox\Profiles\ckajjtx5.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.grapevinejobs.com/home.asp
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-07 12:00:56
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\mchInjDrv]
"ImagePath"="\??\C:\WINDOWS\TEMP\mc21.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\cbXRKCvT.dll
.
Completion time: 2008-10-07 12:01:19
ComboFix-quarantined-files.txt 2008-10-07 11:01:18

Pre-Run: 934,232,064 bytes free
Post-Run: 927,547,392 bytes free

241 --- E O F --- 2008-10-06 17:46:28

Plus

File iTunesHelper.exe received on 10.07.2008 05:18:40 (CET)
Current status: finished

Result: 0/36 (0.00%)
Compact Print results
Antivirus Version Last Update Result
AhnLab-V3 2008.10.3.2 2008.10.06 -
AntiVir 7.8.1.34 2008.10.06 -
Authentium 5.1.0.4 2008.10.07 -
Avast 4.8.1248.0 2008.10.06 -
AVG 8.0.0.161 2008.10.06 -
BitDefender 7.2 2008.10.07 -
CAT-QuickHeal 9.50 2008.10.06 -
ClamAV 0.93.1 2008.10.07 -
DrWeb 4.44.0.09170 2008.10.06 -
eSafe 7.0.17.0 2008.10.07 -
eTrust-Vet 31.6.6132 2008.10.06 -
Ewido 4.0 2008.10.06 -
F-Prot 4.4.4.56 2008.10.06 -
F-Secure 8.0.14332.0 2008.10.07 -
Fortinet 3.113.0.0 2008.10.07 -
GData 19 2008.10.07 -
Ikarus T3.1.1.34.0 2008.10.07 -
K7AntiVirus 7.10.486 2008.10.06 -
Kaspersky 7.0.0.125 2008.10.06 -
McAfee 5398 2008.10.04 -
Microsoft 1.4005 2008.10.07 -
NOD32 3498 2008.10.07 -
Norman 5.80.02 2008.10.06 -
Panda 9.0.0.4 2008.10.06 -
PCTools 4.4.2.0 2008.10.06 -
Prevx1 V2 2008.10.07 -
Rising 20.65.02.00 2008.10.06 -
SecureWeb-Gateway 6.7.6 2008.10.06 -
Sophos 4.34.0 2008.10.07 -
Sunbelt 3.1.1707.1 2008.10.07 -
Symantec 10 2008.10.07 -
TheHacker 6.3.1.0.102 2008.10.07 -
TrendMicro 8.700.0.1004 2008.10.06 -
VBA32 3.12.8.6 2008.10.07 -
ViRobot 2008.10.6.1408 2008.10.06 -
VirusBuster 4.5.11.0 2008.10.06 -
Additional information
Tamano archivo: 289576 bytes
MD5...: a7fa648719063b234a434a089fc0f49d
SHA1..: 65b7190c139ad06092480bd502918eeb3115d94e
SHA256: 544edfeb784b4a77483c16130129fd43faa2a39042c86da09e17e1274c024862
SHA512: b7e309ed78a113cc8663711f401cbf4aeb169ace8b5c0eb4385f30aa505a0928
23299e5cceac38fc2668239b5fcd6d39a7281c1a9c06932749bfdd655ef6664e
PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x411b41
timedatestamp.....: 0x48c5fda7 (Tue Sep 09 04:37:59 2008)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x1fa28 0x1fc00 6.62 f7606c21e6174c896f95ff2c5a8d1fd6
.rdata 0x21000 0x7d82 0x7e00 5.36 5c517f597e50fde9999a1f0e768a843a
.data 0x29000 0x3e40 0x2000 4.10 bc5c3a3808d2a1f868c9047a80c09764
.rsrc 0x2d000 0x16f68 0x17000 5.35 ab6b3268bd420eeb2a8cec8c7b24ee3b
.reloc 0x44000 0x46e2 0x4800 4.03 0ce68e73dd10d1fc63f58ccc3f6e11f3

( 9 imports )
> VERSION.dll: GetFileVersionInfoA, GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueA, GetFileVersionInfoSizeA
> WININET.dll: HttpSendRequestA, InternetCloseHandle, InternetConnectA, InternetOpenA, InternetReadFile, InternetQueryDataAvailable, HttpQueryInfoA, HttpOpenRequestA, InternetGetConnectedState
> SETUPAPI.dll: SetupDiDestroyDeviceInfoList, CM_Get_Device_IDW, SetupDiGetDeviceRegistryPropertyW, SetupDiGetClassDevsW, SetupDiEnumDeviceInfo
> KERNEL32.dll: LCMapStringW, LCMapStringA, HeapSize, GetStdHandle, ExitProcess, HeapCreate, HeapDestroy, GetConsoleMode, GetConsoleCP, MultiByteToWideChar, WideCharToMultiByte, lstrlenW, RaiseException, InitializeCriticalSection, DeleteCriticalSection, GetLastError, lstrlenA, lstrcmpiA, EnterCriticalSection, LeaveCriticalSection, GetCurrentThreadId, IsDBCSLeadByte, GetModuleFileNameA, InterlockedIncrement, InterlockedDecrement, FreeLibrary, SizeofResource, LoadResource, FindResourceA, LoadLibraryExA, GetModuleHandleA, ResetEvent, SetEvent, GetCommandLineA, CloseHandle, CreateEventA, CreateProcessA, Sleep, WaitForMultipleObjects, CreateEventW, WaitForSingleObject, CreateThread, FlushInstructionCache, GetCurrentProcess, Process32Next, Process32First, CreateToolhelp32Snapshot, SetLastError, WriteFile, SetFilePointer, CreateFileA, ProcessIdToSessionId, GetCurrentProcessId, TerminateThread, GetExitCodeThread, SetStdHandle, FlushFileBuffers, CreateFileW, OutputDebugStringA, GetModuleFileNameW, DebugBreak, GlobalFree, GlobalAlloc, GetLocaleInfoW, GetUserDefaultLCID, GetSystemDefaultLangID, LoadLibraryW, GetProcAddress, VerifyVersionInfoA, VerSetConditionMask, LoadLibraryA, CreateMutexW, HeapSetInformation, ReleaseMutex, CreateMutexA, GetSystemDirectoryA, TlsFree, TlsSetValue, TlsAlloc, TlsGetValue, IsValidCodePage, GetOEMCP, GetCPInfo, GetFileAttributesA, GetStartupInfoA, IsDebuggerPresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, GetLocalTime, GetTickCount, ExitThread, GetSystemTimeAsFileTime, GetTimeZoneInformation, HeapReAlloc, RtlUnwind, VirtualQuery, GetSystemInfo, VirtualProtect, VirtualAlloc, VirtualFree, IsProcessorFeaturePresent, HeapAlloc, GetProcessHeap, HeapFree, InterlockedCompareExchange, GetVersionExA, GetThreadLocale, GetLocaleInfoA, GetACP, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CompareStringA, CompareStringW, SetEnvironmentVariableA, FreeEnvironmentStringsA, QueryPerformanceCounter, GetFileType, SetHandleCount, GetEnvironmentStringsW, FreeEnvironmentStringsW, CopyFileW, GetEnvironmentStrings, GetStringTypeW, GetStringTypeA, InterlockedExchange
> USER32.dll: SetPropA, GetDesktopWindow, MessageBeep, CreateDialogParamA, GetForegroundWindow, GetWindowThreadProcessId, AttachThreadInput, IsIconic, SetForegroundWindow, PostQuitMessage, ShowWindow, DefWindowProcA, DispatchMessageA, TranslateMessage, PostThreadMessageA, CharUpperA, SetWindowLongA, UnhookWindowsHookEx, SetWindowsHookExA, DestroyWindow, CallNextHookEx, CharNextA, SetDlgItemTextA, SendDlgItemMessageA, SetWindowTextA, PostMessageA, GetPropA, CreateWindowExA, RegisterClassA, KillTimer, LoadStringA, wsprintfA, GetMessageA, UnregisterClassA, SendMessageA
> ADVAPI32.dll: RegOpenKeyW, RegQueryValueExW, RegQueryValueExA, GetUserNameA, RegEnumKeyExA, RegQueryInfoKeyA, RegSetValueExA, RegOpenKeyExA, RegCreateKeyExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, RegOpenKeyExW
> ole32.dll: CoInitialize, CoRegisterClassObject, CoTaskMemAlloc, CoTaskMemRealloc, CoTaskMemFree, StringFromGUID2, CoCreateInstance, CoRevokeClassObject, CoUninitialize, CoInitializeEx, GetRunningObjectTable, CreateClassMoniker
> OLEAUT32.dll: -, -, -, -, -, -, -, -, -, -, -, -
> SHLWAPI.dll: PathFileExistsA

( 0 exports )

Thank you

by **John B.** » October 7th, 2008, 4:00 pm

Hi,

Now let's remove the things ComboFix forgot. We will also upload some files for the developer of ComboFix.

Before you download the newest version of ComboFix please make sure there's no older version of ComboFix on your desktop! If there is one, please delete it.

Download Combofix from any of the links below, and save it to your desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Note: It is important that it is saved directly to your desktop!

Now close any open browsers. Also close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. For information on how to do that for your programs see this webpage:
http://www.bleepingcomputer.com/forums/topic114351.html
Before disabling your security program disconnect from the internet as you can get infected very easily with your security disabled.

Open Notepad and copy/paste the text in the box into the window:

Code: Select all

http://www.malwareremoval.com/forum/viewtopic.php?f=11&t=35264

Collect::
C:\WINDOWS\system32\cbXRKCvT.dll
C:\WINDOWS\system32\tuvTmMeE.dll
C:\WINDOWS\system32\urqPfgEx.dll
C:\WINDOWS\system32\efcAPICU.dll

File::
C:\WINDOWS\system32\ljJAQGxw.dll
C:\WINDOWS\system32\khfGwWOG.dll
C:\WINDOWS\system32\ljjIaWOf.dll
C:\WINDOWS\system32\pMDuSMDu.dll
C:\WINDOWS\system32\jkkJaAqP.dll
C:\WINDOWS\system32\mlJAtQGa.dll
C:\WINDOWS\system32\geBqOHAQ.dll
C:\WINDOWS\system32\urqOHAQh.dll
C:\WINDOWS\system32\rqRIxwTN.dll
C:\WINDOWS\system32\urqOEwVo.dll
C:\WINDOWS\system32\ddcCRHYr.dll

Folder::
C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again. Do not mouseclick combofix's window while it's running. That may cause it to stall.

When finished, it will produce a report for you. This report will also be saved in C:\ComboFix.txt

Note: When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

Ensure you are connected to the internet and click OK on the message box.
A browser will open.
Simply follow the instructions to copy/paste/send the requested file.

Note: Remember reconnect and re-enable your anti virus and anti malware programs.

Please post C:\ComboFix.txt (so from the C:\ folder) and a new HijackThis log.

Greets, John.

by **doldi** » October 7th, 2008, 4:54 pm

Hi there,

I send it off the file for submission and it was successfull.

here are the logs

ComboFix 08-10-07.03 - vali 2008-10-07 21:46:23.4 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2282 [GMT 1:00]
Running from: C:\Documents and Settings\vali\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\DIFxAPI.dll
C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\DifXInstall32.exe
C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\GEARAspiWDM.inf
C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\gearaspiwdmx86.cat
C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\x86\GEARAspi.dll
C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\x86\GEARAspiWDM.sys
C:\WINDOWS\system32\ddcCRHYr.dll
C:\WINDOWS\system32\efcAPICU.dll
C:\WINDOWS\system32\efccYRHX.dll
C:\WINDOWS\system32\geBqOHAQ.dll
C:\WINDOWS\system32\jkkJaAqP.dll
C:\WINDOWS\system32\khfGwWOG.dll
C:\WINDOWS\system32\ljJAQGxw.dll
C:\WINDOWS\system32\ljjIaWOf.dll
C:\WINDOWS\system32\mlJAtQGa.dll
C:\WINDOWS\system32\pMDuSMDu.dll
C:\WINDOWS\system32\rqRIxwTN.dll
C:\WINDOWS\system32\tuvTmMeE.dll
C:\WINDOWS\system32\urqOEwVo.dll
C:\WINDOWS\system32\urqOHAQh.dll
C:\WINDOWS\system32\urqPfgEx.dll
C:\WINDOWS\system32\XHRYccfe.ini
C:\WINDOWS\system32\XHRYccfe.ini2

.
((((((((((((((((((((((((( Files Created from 2008-09-07 to 2008-10-07 )))))))))))))))))))))))))))))))
.

2008-10-07 14:07 . 2008-10-07 14:07 324,564 --a------ C:\WINDOWS\system32\cbXrSjjG.dll
2008-10-06 18:47 . 2008-10-06 18:47 <DIR> d-------- C:\Documents and Settings\vali\Application Data\OnlineArmor
2008-10-06 18:47 . 2008-10-06 18:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\OnlineArmor
2008-10-06 18:47 . 2008-04-17 05:25 80,584 --a------ C:\WINDOWS\system32\drivers\OADriver.sys
2008-10-06 18:47 . 2008-04-17 05:25 32,456 --a------ C:\WINDOWS\system32\drivers\OAmon.sys
2008-10-06 18:47 . 2008-04-17 05:25 28,872 --a------ C:\WINDOWS\system32\drivers\oanet.sys
2008-10-06 15:56 . 2008-10-06 15:56 <DIR> d-------- C:\Documents and Settings\vali\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2008-10-05 14:28 . 2008-10-05 14:28 <DIR> d-------- C:\Documents and Settings\vali\Application Data\dvdcss
2008-10-05 14:27 . 2008-10-05 14:27 <DIR> d-------- C:\Program Files\VideoLAN
2008-10-05 14:19 . 2008-10-05 14:19 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-10-05 14:09 . 2008-10-05 14:09 0 --a------ C:\WINDOWS\iPlayer.INI
2008-10-05 14:06 . 2008-10-05 14:06 <DIR> d-------- C:\Program Files\InterActual
2008-10-01 21:18 . 2008-10-01 21:18 <DIR> d--hs---- C:\FOUND.003
2008-09-30 22:53 . 2008-09-30 22:53 <DIR> d-------- C:\Program Files\iPod
2008-09-30 22:53 . 2008-09-30 22:53 <DIR> d-------- C:\Documents and Settings\vali\Application Data\Apple Computer
2008-09-30 22:53 . 2008-04-17 13:12 107,368 --a------ C:\WINDOWS\system32\GEARAspi.dll
2008-09-30 22:53 . 2008-04-17 13:12 15,464 --a------ C:\WINDOWS\system32\drivers\GEARAspiWDM.sys
2008-09-30 22:52 . 2008-09-30 22:52 <DIR> d-------- C:\Program Files\QuickTime
2008-09-30 22:52 . 2008-09-30 22:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-09-30 22:51 . 2008-09-30 22:51 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-09-30 21:54 . 2008-09-30 21:54 <DIR> d--hs---- C:\FOUND.002
2008-09-30 19:09 . 2008-09-30 19:09 <DIR> d--hs---- C:\FOUND.001
2008-09-30 18:28 . 2008-09-30 18:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-09-30 17:23 . 2008-09-30 17:23 <DIR> d--hs---- C:\FOUND.000
2008-09-29 21:43 . 2008-09-29 21:43 <DIR> d-------- C:\Program Files\Kontiki
2008-09-29 11:33 . 2008-09-29 11:33 <DIR> d-------- C:\Documents and Settings\vali\Application Data\Uniblue
2008-09-27 18:43 . 2008-09-27 18:43 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-09-26 16:57 . 2008-09-26 16:57 <DIR> d-------- C:\WINDOWS\Bs350u2
2008-09-26 16:57 . 2004-12-02 20:23 605,312 --a------ C:\WINDOWS\system32\drivers\Bs350u2.sys
2008-09-26 16:57 . 2004-10-07 20:38 81,920 --a------ C:\WINDOWS\system\vfwExtC.dll
2008-09-26 16:57 . 2004-10-07 20:25 77,824 --a------ C:\WINDOWS\system\FiltProp.dll
2008-09-26 16:57 . 2004-11-29 12:36 40,960 --a------ C:\WINDOWS\Bs350u2r.exe
2008-09-26 16:57 . 2003-09-22 13:49 15,190 --a------ C:\WINDOWS\M1000Twn.ini
2008-09-26 16:57 . 2003-09-22 14:36 13,448 --a------ C:\WINDOWS\M1000Twn.src
2008-09-26 16:57 . 2004-06-17 22:23 12,537 --a------ C:\WINDOWS\system\S10H0110.csr
2008-09-26 16:57 . 2004-06-26 17:39 11,528 --a------ C:\WINDOWS\system\S10F0110.csr
2008-09-26 16:57 . 2004-06-16 20:38 3,031 --a------ C:\WINDOWS\system32\drivers\C10H0110.bin
2008-09-26 16:57 . 2004-06-16 20:38 3,031 --a------ C:\WINDOWS\system32\drivers\C10F0110.bin
2008-09-26 14:56 . 2008-09-26 14:56 <DIR> d-------- C:\Program Files\MagicDisc
2008-09-24 13:07 . 2008-09-24 13:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-05 13:19 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-10-05 13:19 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-09-04 13:03 --------- d-----w C:\Program Files\Common Files\Adobe AIR
2008-09-04 12:58 --------- d-----w C:\Program Files\NOS
2008-09-04 12:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\NOS
2008-09-04 11:15 --------- d-----w C:\Program Files\PowerISO
2008-09-04 11:02 --------- d-----w C:\Documents and Settings\vali\Application Data\Canon
2008-09-03 23:49 --------- d-----w C:\Program Files\Apple Software Update
2008-09-03 23:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-09-03 14:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\ALM
2008-09-03 14:02 --------- d-----w C:\Program Files\Bonjour
2008-09-03 13:58 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-09-03 13:42 --------- d-----w C:\Program Files\MagicISO
2008-09-02 22:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-09-02 21:50 --------- d-----w C:\Program Files\Common Files\Adobe
2008-09-02 17:41 --------- d-----w C:\Program Files\DNA
2008-09-01 12:00 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-09-01 11:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-09-01 11:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Channel4
2008-08-29 21:09 --------- d-----w C:\Program Files\Real
2008-08-29 21:09 --------- d-----w C:\Program Files\Common Files\Real
2008-08-29 19:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Windows Live Toolbar
2008-08-29 09:18 87,336 ----a-w C:\WINDOWS\system32\dns-sd.exe
2008-08-29 08:53 61,440 ----a-w C:\WINDOWS\system32\dnssd.dll
2008-08-28 22:46 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-08-28 22:43 --------- d-sh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-08-28 22:42 --------- d-----w C:\Program Files\Windows Live
2008-08-28 22:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-08-28 22:38 --------- d-----w C:\Documents and Settings\vali\Application Data\skypePM
2008-08-28 22:37 --------- d-----w C:\Program Files\Skype
2008-08-28 22:37 --------- d-----w C:\Program Files\Google
2008-08-28 22:37 --------- d-----w C:\Program Files\Common Files\Skype
2008-08-28 22:37 --------- d-----w C:\Documents and Settings\vali\Application Data\Skype
2008-08-28 22:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-08-28 22:11 --------- d-----w C:\Program Files\ESET
2008-08-28 22:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\ESET
2008-08-28 19:57 --------- d-----w C:\Program Files\WIDCOMM
2008-08-28 19:56 --------- d-----w C:\Program Files\Wlan
2008-08-28 19:53 --------- d-----w C:\Program Files\Synaptics
2008-08-28 19:44 --------- d-----w C:\Program Files\Realtek
2008-08-28 19:41 --------- d-----w C:\Program Files\Intel
2008-08-28 19:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-28 19:40 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-08-28 19:32 --------- d-----w C:\Program Files\microsoft frontpage
2008-08-18 12:27 34,312 ----a-w C:\WINDOWS\system32\drivers\epfwtdir.sys
2008-08-18 12:19 53,256 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
2008-08-18 12:18 39,944 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
2008-07-18 21:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-18 21:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 21:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 21:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-18 21:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 21:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 21:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2008-07-18 21:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 21:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2008-07-18 21:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 21:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-18 21:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 21:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2008-07-18 21:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 21:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2008-07-18 21:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-18 21:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:26 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll
.

((((((((((((((((((((((((((((( snapshot@2008-10-07_12.01.06.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-07 20:40:44 16,384 ----a-w C:\WINDOWS\Temp\Perflib_Perfdata_1f4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-08-12 21741864]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-08-28 171448]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 1032640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-04-29 5898240]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-04-29 102490]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-04-29 708698]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-08-18 1447168]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2006-09-09 196608]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"4oD"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 1032640]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="D:\Programs\iTunesHelper.exe" [2008-09-10 289576]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"OnlineArmor GUI"="D:\Programs\Online Armor\oaui.exe" [2008-04-17 5545536]
"PtiuPbmd"="ptipbm.dll" [2005-01-14 C:\WINDOWS\system32\ptipbm.dll]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-08-12 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-04-29 C:\WINDOWS\SoundMan.exe]
"AlcWzrd"="ALCWZRD.EXE" [2005-04-29 C:\WINDOWS\ALCWZRD.EXE]
"nwiz"="nwiz.exe" [2005-04-29 C:\WINDOWS\system32\nwiz.exe]
"CHotkey"="mHotkey.exe" [2001-12-26 C:\WINDOWS\mHotkey.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
WLAN Configuration Utility.lnk - C:\Program Files\Wlan\IPN2220\wlan_ui.exe [2004-11-08 454656]
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-03-03 512061]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\System32\\USMT\\MIGWIZ.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"D:\\Programs\\iTunes.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-08-18 34312]
R1 OADevice;OADriver;C:\WINDOWS\system32\drivers\OADriver.sys [2008-04-17 80584]
R1 OAmon;OAmon;C:\WINDOWS\system32\drivers\OAmon.sys [2008-04-17 32456]
R1 OAnet;OAnet;C:\WINDOWS\system32\drivers\OAnet.sys [2008-04-17 28872]
R3 Slazldrv;SmartLink AMR_PCI Driver;C:\WINDOWS\system32\DRIVERS\SLDRV\slazldrv.sys [2005-04-29 230448]
S2 SvcOnlineArmor;Online Armor;D:\Programs\Online Armor\oasrv.exe [2008-04-17 5435968]
S3 CB54G3;Wireless CB54G3/MP54G3 Wireless LAN Card Driver;C:\WINDOWS\system32\DRIVERS\i2220ntx.sys [2004-04-27 148480]
.
Contents of the 'Scheduled Tasks' folder

2008-09-10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -

BHO-{E7604E8A-43F0-4005-885A-DF2A385E1FB7} - C:\WINDOWS\system32\efccYRHX.dll
Notify-cbXRKCvT - cbXRKCvT.dll

.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\vali\Application Data\Mozilla\Firefox\Profiles\ckajjtx5.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.grapevinejobs.com/home.asp
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-07 21:47:32
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\mchInjDrv]
"ImagePath"="\??\C:\WINDOWS\TEMP\mc21.tmp"
.
Completion time: 2008-10-07 21:47:57
ComboFix-quarantined-files.txt 2008-10-07 20:47:56
ComboFix2.txt 2008-10-07 11:01:22

Pre-Run: 959,897,600 bytes free
Post-Run: 951,394,304 bytes free

234 --- E O F --- 2008-10-06 17:46:28

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:54:21 PM, on 10/7/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Kontiki\KHost.exe
D:\Programs\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Wlan\IPN2220\wlan_ui.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
D:\Programs\Online Armor\oaui.exe
D:\Programs\Online Armor\oasrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Programs\Hijack This\goodscaner.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lolaevents.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Programs\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [OnlineArmor GUI] "D:\Programs\Online Armor\oaui.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - Global Startup: WLAN Configuration Utility.lnk = C:\Program Files\Wlan\IPN2220\wlan_ui.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se5036.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - D:\Programs\Online Armor\oasrv.exe

--
End of file - 7626 bytes

Free Malware Removal Forum

0x8ddd0018 error and Hijack scan!Pl help

0x8ddd0018 error and Hijack scan!Pl help

Re: 0x8ddd0018 error and Hijack scan!Pl help

Re: 0x8ddd0018 error and Hijack scan!Pl help

Re: 0x8ddd0018 error and Hijack scan!Pl help

Re: 0x8ddd0018 error and Hijack scan!Pl help

Re: 0x8ddd0018 error and Hijack scan!Pl help

Re: 0x8ddd0018 error and Hijack scan!Pl help

Re: 0x8ddd0018 error and Hijack scan!Pl help

Re: 0x8ddd0018 error and Hijack scan!Pl help

Re: 0x8ddd0018 error and Hijack scan!Pl help

Re: 0x8ddd0018 error and Hijack scan!Pl help

Re: 0x8ddd0018 error and Hijack scan!Pl help

Re: 0x8ddd0018 error and Hijack scan!Pl help

Re: 0x8ddd0018 error and Hijack scan!Pl help

Re: 0x8ddd0018 error and Hijack scan!Pl help

Who is online