Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Help needed to remove userinit.exe error from a laptop [RESOLVED]

Started by elreeds , Aug 04 2008 11:36 AM

  • This topic is locked This topic is locked

#1
elreeds
Posted 04 August 2008 - 11:36 AM

elreeds

    Member

  • Member
  • PipPip
  • 63 posts
I'm having to post this from another computer as the particular laptop that is affected if just too slow to work with for the second. But recently, when the laptop is started up, the start up screen appears and when you log in as a user, an error message comes up about 'userinit.exe'. Once pressing 'ok' to continue, my destop background came up but without the icons. Having read some articles, it was suggested that I get the task manager up and to run explorer. I did so and my desktop loaded correctly. Nevertheless, I was further presented with an error message of 'rundll32.exe'.

With everything loading slowly onto the laptop (this laptop has got slower and slower overtime and it's painful to wait for it to load up everytime), it almost looked as good as new. However, firefox wouldn't load internet pages, so I decided to restart the laptop. This time, no messages came up (neither userinit.exe not rundll32.exe) but whenever I tried to get onto this website on the laptop, another internet site came up: 'www.chilico.com'. Sometimes it loads this website and sometimes it doesn't. I have found that I've been more successful when using internet explorer, rather than firefox though.

Please can someone help me with this problem as it is highly frustrating!

Thank you

Edited by elreeds, 04 August 2008 - 11:45 AM.

  • 0

Advertisements

#2
elreeds
Posted 07 August 2008 - 06:27 AM

elreeds

    Member

  • Topic Starter
  • Member
  • PipPip
  • 63 posts
Seriously, is there anyone available to help me?!?!?!
  • 0

#3
Essexboy
Posted 08 August 2008 - 12:03 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Before I can help I will need more information

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#4
elreeds
Posted 08 August 2008 - 02:03 PM

elreeds

    Member

  • Topic Starter
  • Member
  • PipPip
  • 63 posts
main.txt

Deckard's System Scanner v20071014.68
Run by SYSTEM on 2008-08-08 20:15:07
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- System Restore --------------------------------------------------------------
Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
103: 2008-08-08 19:15:51 UTC - RP748 - Deckard's System Scanner Restore Point
102: 2008-07-28 01:52:10 UTC - RP747 - System Checkpoint
101: 2008-07-26 22:27:52 UTC - RP746 - Last known good configuration
100: 2008-07-26 22:27:30 UTC - RP745 - Software Distribution Service 3.0
99: 2008-07-26 22:27:30 UTC - RP744 - Software Distribution Service 3.0

-- First Restore Point --
1: 2008-07-26 22:25:50 UTC - RP646 - Software Distribution Service 3.0

Backed up registry hives.
Performed disk cleanup.
Percentage of Memory in Use: 85% (more than 75%).
Total Physical Memory: 479 MiB (512 MiB recommended).

-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-08-08 20:20:55
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\QW1lbGlhIFJlZWRz\command.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\alg.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HPQ\Quick Launch Buttons\eabservr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft ActiveSync\rapimgr.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\mrofinu.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\LocalService\Desktop\dss.exe
C:\Program Files\AV9\av2009.exe
C:\WINDOWS\system32\rundll32.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...o&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.c...NWLobUOZUBItbg=
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {16EC00C6-90B4-4956-BE82-96A007727458} - C:\WINDOWS\system32\tuvSljkK.dll
O2 - BHO: (no name) - {3203C641-8301-4513-9A5A-C815EE3437C3} - C:\WINDOWS\system32\pmnnOEwW.dll
O2 - BHO: (no name) - {514A5C49-0C7D-42c3-A71B-38864A269B7A} - C:\WINDOWS\system32\lljvpeos.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: targetedbanner browser optimizer - {a16acb9e-ecbb-fcf6-850e-265e702ac1fa} - C:\WINDOWS\system32\vlpnbeebokph.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: {e827cb59-e9a7-8569-17b4-dd4a88be655e} - {e556eb88-a4dd-4b71-9658-7a9e95bc728e} - C:\WINDOWS\system32\ycbirp.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\Greg\lsass.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1188.exe 61A847B5BBF72813339330466188719AB689201522886B092CBD44BD8689220221DD325762EA4EBF
968951185EFC412806867680AEDE604D64C2661373F819EBDCD66A47
O4 - HKLM\..\Run: [{525161ae-1c3a-77c1-2561-1ea790ee1deb}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\vlpnbeebokph.dll" DllStart
O4 - HKLM\..\Run: [4289727e] rundll32.exe "C:\WINDOWS\system32\ysjvomtx.dll",b
O4 - HKLM\..\Run: [BM41ba41e2] Rundll32.exe "C:\WINDOWS\system32\slvevmbd.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE
O4 - HKCU\..\Run: [39855845889158728651099187833999] C:\Program Files\AV9\av2009.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [39855845889158728651099187833999] C:\Program Files\AV9\av2009.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [39855845889158728651099187833999] C:\Program Files\AV9\av2009.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} () - http://www.ysbweb.co...ysb_regular.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebo...toUploader3.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} () - http://download.reds.../113/rssoft.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: tuvSljkK - C:\WINDOWS\system32\tuvSljkK.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\QW1lbGlhIFJlZWRz\command.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\system32\TuneUpDefragService.exe

--
End of file - 8289 bytes
-- File Associations -----------------------------------------------------------
All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
All drivers whitelisted.

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
R2 cmdService (Command Service) - c:\windows\qw1lbglhifjlzwrz\command.exe
R2 Network Monitor - c:\program files\network monitor\netmon.exe service
S3 hpqwmi (HP WMI Interface) - c:\program files\hpq\shared\hpqwmi.exe <Not Verified; Hewlett-Packard Development Company, L.P.; hpqwmi Module>

-- Device Manager: Disabled ----------------------------------------------------
Class GUID: {6BDD1FC6-810F-11D0-BEC7-08002BE2092F}
Description: Photosmart C4380 series
Device ID: ROOT\IMAGE\0000
Manufacturer: HP
Name: HP Photosmart C4380
PNP Device ID: ROOT\IMAGE\0000
Service: StillCam
Class GUID: {4D36E971-E325-11CE-BFC1-08002BE10318}
Description: Photosmart C4380 series
Device ID: ROOT\MULTIFUNCTION\0000
Manufacturer: HP
Name: Photosmart C4380 series
PNP Device ID: ROOT\MULTIFUNCTION\0000
Service:

-- Scheduled Tasks -------------------------------------------------------------
2008-07-22 17:46:10 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-07-18 19:18:32 374 --a------ C:\WINDOWS\Tasks\1-Click Maintenance.job

-- Files created between 2008-07-08 and 2008-08-08 -----------------------------
2008-08-08 20:23:27 75776 --a------ C:\WINDOWS\system32\ieupdates.exe <IEUPDA~1.EXE>
2008-08-08 20:18:48 83456 --a------ C:\WINDOWS\system32\ysjvomtx.dll
2008-08-08 20:17:26 0 d-------- C:\Program Files\AV9
2008-08-08 20:15:15 2048 --a------ C:\WINDOWS\system32\gagiuwbb.exe
2008-08-08 20:14:52 0 d-------- \Deckard
2008-08-08 20:14:30 0 d-------- C:\Documents and Settings\LocalService\Desktop
2008-08-08 20:12:16 101888 --a------ C:\WINDOWS\system32\ycbirp.dll
2008-08-08 20:12:15 101888 --a------ C:\WINDOWS\system32\qlrdwieq.dll
2008-08-08 20:09:34 93696 --a------ C:\WINDOWS\system32\slvevmbd.dll
2008-08-08 20:08:52 92160 --a------ C:\WINDOWS\system32\lljvpeos.dll
2008-08-04 18:13:02 2048 --a------ C:\WINDOWS\system32\jexvcnvp.exe
2008-08-04 18:10:02 102400 --a------ C:\WINDOWS\system32\mjlieb.dll
2008-08-04 18:10:02 102400 --a------ C:\WINDOWS\system32\gdmdvvwi.dll
2008-08-04 18:07:02 82944 --a------ C:\WINDOWS\system32\xwhuagvl.dll
2008-08-04 18:04:02 92672 --a------ C:\WINDOWS\system32\hvsfssos.dll
2008-08-04 18:03:09 92160 --a------ C:\WINDOWS\system32\jnlaylqg.dll
2008-08-02 09:32:27 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-08-02 09:32:27 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-08-02 09:26:56 83456 --a------ C:\WINDOWS\system32\iblwoapx.dll
2008-08-02 09:23:58 110080 --a------ C:\WINDOWS\system32\wtmgte.dll
2008-08-02 09:23:58 110080 --a------ C:\WINDOWS\system32\ebwqlkpq.dll
2008-08-02 09:20:56 93184 --a------ C:\WINDOWS\system32\xeyhefoi.dll
2008-08-02 09:19:42 92160 --a------ C:\WINDOWS\system32\itibnqtj.dll
2008-08-01 21:19:00 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-08-01 21:18:56 0 d-------- C:\Documents and Settings\LocalService\Application Data\Talkback
2008-08-01 21:18:23 0 d-------- C:\Documents and Settings\LocalService\Application Data\Mozilla
2008-08-01 20:43:05 0 d-------- C:\Program Files\mjc
2008-08-01 20:43:02 0 d-------- C:\Program Files\InetGet2
2008-08-01 10:48:24 160768 --a------ C:\WINDOWS\system32\vlpnbeebokph.dll <VLPNBE~1.DLL>
2008-07-28 15:23:13 102912 --a------ C:\WINDOWS\system32\yoxzab.dll
2008-07-28 15:23:12 102912 --a------ C:\WINDOWS\system32\mfutmlrf.dll
2008-07-28 15:20:14 92160 --a------ C:\WINDOWS\system32\wneombry.dll
2008-07-28 15:17:57 93184 --a------ C:\WINDOWS\system32\cvparxsm.dll
2008-07-28 15:17:12 597973 --ahs---- C:\WINDOWS\system32\klloonpo.ini2 <KLLOON~1.INI>
2008-07-28 15:16:58 282624 --a------ C:\WINDOWS\system32\opnoollk.dll
2008-07-28 13:21:33 83968 --a------ C:\WINDOWS\system32\nisximby.dll
2008-07-28 13:18:34 102400 --a------ C:\WINDOWS\system32\fqcwzw.dll
2008-07-28 13:18:33 102400 --a------ C:\WINDOWS\system32\fcgcawws.dll
2008-07-28 13:15:33 92160 --a------ C:\WINDOWS\system32\sfnnskwm.dll
2008-07-28 13:12:34 93184 --a------ C:\WINDOWS\system32\esgvemto.dll
2008-07-27 13:48:54 32768 --a------ C:\WINDOWS\system32\geBUnoLf.dll
2008-07-27 13:48:53 32768 --a------ C:\WINDOWS\system32\yayaASLE.dll
2008-07-27 13:18:42 102400 --a------ C:\WINDOWS\system32\jedrok.dll
2008-07-27 13:18:37 102400 --a------ C:\WINDOWS\system32\rsogwrft.dll
2008-07-27 13:15:37 83968 --a------ C:\WINDOWS\system32\plsfnwog.dll
2008-07-27 13:12:37 93696 --a------ C:\WINDOWS\system32\ijgrnbqf.dll
2008-07-27 13:10:22 92160 --a------ C:\WINDOWS\system32\rgqrxacc.dll
2008-07-26 23:39:28 0 d-------- C:\Program Files\iCheck
2008-07-26 23:39:28 0 d-------- C:\Program Files\GetPack
2008-07-26 23:25:35 626494 --ahs---- C:\WINDOWS\system32\WwEOnnmp.ini2 <WWEONN~1.INI>
2008-07-26 23:25:26 283136 --a------ C:\WINDOWS\system32\pmnnOEwW.dll
2008-07-26 23:21:57 687592 --a------ C:\WINDOWS\system32\atmtd.dll
2008-07-26 23:21:48 0 d-------- C:\Documents and Settings\LocalService\Application Data\NetMon
2008-07-26 23:21:30 1989 --a------ C:\WINDOWS\uninstall_nmon.vbs
2008-07-26 23:21:30 0 d-------- C:\Program Files\Network Monitor
2008-07-26 23:21:29 0 d--hs---- C:\WINDOWS\QW1lbGlhIFJlZWRz
2008-07-26 23:21:12 64864 --a------ C:\WINDOWS\system32\xhkgjlzisujpnp.exe <XHKGJL~1.EXE>
2008-07-26 23:20:49 0 d-------- C:\WINDOWS\system32\tebg4
2008-07-26 23:20:49 0 d-------- C:\WINDOWS\system32\cur2
2008-07-26 23:20:24 0 d-------- C:\WINDOWS\system32\kBin02
2008-07-26 23:20:24 0 d-------- \Temp
2008-07-26 23:20:07 32768 --a------ C:\WINDOWS\system32\urqQgddD.dll
2008-07-26 23:20:05 32768 --a------ C:\WINDOWS\system32\tuvSljkK.dll
2008-07-25 15:50:06 355840 --a------ C:\WINDOWS\b148.exe
2008-07-24 16:02:24 91136 --a------ C:\WINDOWS\b152.exe
2008-07-23 22:13:46 85504 ---hs---- C:\Documents and Settings\Greg\lsass.exe
2008-07-23 20:54:18 44544 -ra------ C:\WINDOWS\mrofinu1188.exe
2008-07-23 20:54:18 44544 -ra------ C:\WINDOWS\mrofinu1000106.exe
2008-07-15 14:28:38 0 d-------- C:\Program Files\uTorrent
2008-07-15 14:28:27 0 d-------- C:\Documents and Settings\Greg\Application Data\uTorrent
2008-07-15 01:19:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-07-15 01:15:50 1334 --a------ C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

-- Find3M Report ---------------------------------------------------------------
2008-08-08 20:04:59 501731328 --ahs---- \hiberfil.sys
2008-08-08 20:04:52 754974720 --ahs---- \pagefile.sys
2008-07-23 21:44:58 0 d-------- C:\Program Files\mIRC
2008-06-02 14:37:57 148003 --a------ C:\WINDOWS\hpoins21.dat

-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{16EC00C6-90B4-4956-BE82-96A007727458}]
26/07/2008 23:20 32768 --a------ C:\WINDOWS\system32\tuvSljkK.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3203C641-8301-4513-9A5A-C815EE3437C3}]
26/07/2008 23:25 283136 --a------ C:\WINDOWS\system32\pmnnOEwW.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{514A5C49-0C7D-42c3-A71B-38864A269B7A}]
08/08/2008 20:08 92160 --a------ C:\WINDOWS\system32\lljvpeos.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a16acb9e-ecbb-fcf6-850e-265e702ac1fa}]
01/08/2008 10:48 160768 --a------ C:\WINDOWS\system32\vlpnbeebokph.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e556eb88-a4dd-4b71-9658-7a9e95bc728e}]
08/08/2008 20:12 101888 --a------ C:\WINDOWS\system32\ycbirp.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [17/09/2004 17:19]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [07/02/2006 08:39]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [07/02/2006 08:36]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [07/02/2006 08:40]
"LSA Shellu"="C:\Documents and Settings\Greg\lsass.exe" [28/04/2008 14:51]
"runner1"="C:\WINDOWS\mrofinu1188.exe" [23/07/2008 20:54]
"{525161ae-1c3a-77c1-2561-1ea790ee1deb}"="C:\WINDOWS\system32\vlpnbeebokph.dll" [01/08/2008 10:48]
"4289727e"="C:\WINDOWS\system32\ysjvomtx.dll" [08/08/2008 20:18]
"BM41ba41e2"="C:\WINDOWS\system32\slvevmbd.dll" [08/08/2008 20:09]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [04/08/2004 09:00]
"39855845889158728651099187833999"="C:\Program Files\AV9\av2009.exe" [08/08/2008 20:17]
"ieupdate"="C:\WINDOWS\system32\ieupdates.exe" [08/08/2008 20:23]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"39855845889158728651099187833999"=C:\Program Files\AV9\av2009.exe
"ieupdate"="C:\WINDOWS\system32\ieupdates.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{16EC00C6-90B4-4956-BE82-96A007727458}"= C:\WINDOWS\system32\tuvSljkK.dll [26/07/2008 23:20 32768]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvSljkK]
tuvSljkK.dll 26/07/2008 23:20 32768 C:\WINDOWS\system32\tuvSljkK.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\pmnnOEwW
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"Cpqset"=C:\Program Files\HPQ\Default Settings\cpqset.exe
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
"4oD"="C:\Program Files\Kontiki\KHost.exe" -all
"PCSuiteTrayApplication"=C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"Symantec NetDriver Monitor"=C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
"SynTPLpr"=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt hpqcxs08 hpqddsvc
HPService HPSLPSVC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp


-- End of Deckard's System Scanner: finished at 2008-08-08 20:26:04 ------------

extra.txt


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------
-- System Information ----------------------------------------------------------
Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English
CPU 0: Intel® Pentium® M processor 1.50GHz
Percentage of Memory in Use: 88%
Physical Memory (total/avail): 478.42 MiB / 53.17 MiB
Pagefile Memory (total/avail): 1121.01 MiB / 621.46 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1927.82 MiB
C: is Fixed (NTFS) - 55.88 GiB total, 34.75 GiB free.
D: is CDROM (No Media)
\\.\PHYSICALDRIVE0 - TOSHIBA MK6025GAS - 55.89 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 55.88 GiB - C:

-- Security Center -------------------------------------------------------------
AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.
FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AOL 9.0\\waol.exe"="C:\\Program Files\\AOL 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"C:\\Documents and Settings\\Greg\\My Documents\\My Downlads\\SPStudio\\SPStudio.exe"="C:\\Documents and Settings\\Greg\\My Documents\\My Downlads\\SPStudio\\SPStudio.exe:*:Enabled:SmartPhone Studio"
"C:\\Program Files\\burst\\core-new1.1.3\\btdownloadheadless.exe"="C:\\Program Files\\burst\\core-new1.1.3\\btdownloadheadless.exe:*:Enabled:burst! download engine"
"C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\Program Files\\Steam\\SteamApps\\[email protected]\\counter-strike\\hl.exe"="C:\\Program Files\\Steam\\SteamApps\\[email protected]\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\RSSoft\\RSEDNClient.exe"="C:\\Program Files\\RSSoft\\RSEDNClient.exe:*:Enabled:RSEDNClient"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Kontiki\\KService.exe"="C:\\Program Files\\Kontiki\\KService.exe:*:Enabled:Delivery Manager Service"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"="C:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe:*:Enabled:Nokia Service Layer Host Process "
"C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"="C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe:*:Enabled:Nokia Software Updater"
"D:\\setup\\HPZNUI01.EXE"="D:\\setup\\HPZNUI01.EXE:*:Enabled:hpznui01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"
"C:\\Documents and Settings\\Greg\\Local Settings\\Temp\\WZSE0.TMP\\SymNRT.exe"="C:\\Documents and Settings\\Greg\\Local Settings\\Temp\\WZSE0.TMP\\SymNRT.exe:*:Enabled:Symantec Removal Utility"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"

-- Environment Variables -------------------------------------------------------
ALLUSERSPROFILE=C:\Documents and Settings\All Users
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_03\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=WORK
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d08
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_03\lib\ext\QTJava.zip
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\WINDOWS\TEMP
TMP=C:\WINDOWS\TEMP
USERPROFILE=C:\Documents and Settings\LocalService
windir=C:\WINDOWS

-- User Profiles ---------------------------------------------------------------
Amelia Reeds (admin)
Kevin Reeds (admin)
Greg (admin)
Erin (admin)

-- Add/Remove Programs ---------------------------------------------------------
--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9D5DFD1A-5B25-48B7-B4D5-E04778BDC676}\Setup.exe" -l0x9
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
32 Bit HP CIO Components Installer --> MsiExec.exe /I{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}
4oD --> MsiExec.exe /I {8B7443F5-E141-42A0-AB61-ED2331AAD606}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 7.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
Apple Software Update --> MsiExec.exe /I{A50C25D7-62E9-4511-AD70-8E2DA5E79B7D}
ArcSoft PhotoImpression --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E142615E-5ED8-4511-9BF0-0284BFA25766}\Setup.exe" -l0x9 -uninst
ArcSoft VideoImpression 1.6 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ED10343F-D30A-4200-9B00-665FC45F52B4}\Setup.exe" -l0x9 -uninst
CIF USB Camera (2110A) --> C:\WINDOWS\CleanDev.exe C:\WINDOWS\DC2110a.ini
Command --> wscript "C:\WINDOWS\QW1lbGlhIFJlZWRz\kqY5v351KIL5tqlW.vbs"
Conexant AC-Link Audio --> CIAunwdm.exe
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
EndItAll 2.0 --> "C:\Program Files\EndItAll\unins000.exe"
Enhancement Browser Tools Targetedbanner --> C:\WINDOWS\system32\xhkgjlzisujpnp.exe
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP Imaging Device Functions 9.0 --> C:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat
HP OCR Software 9.0 --> C:\Program Files\HP\Digital Imaging\OCR\hpzscr01.exe -datfile hpqbud11.dat
HP Photosmart All-In-One Software 9.0 --> C:\Program Files\HP\Digital Imaging\{D64BC2CF-0F12-47d7-B412-B4F3FD684253}\setup\hpzscr01.exe -datfile hposcr21.dat
HP Photosmart Essential 2.01 --> C:\Program Files\HP\Digital Imaging\PhotoSmartEssential\hpzscr01.exe -datfile hpqbud13.dat
Intel® Extreme Graphics 2 Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_3582
Internet Speed Monitor --> C:\Program Files\iCheck\Uninstall.exe
InterVideo WinDVD --> "C:\Program Files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALL
iTunes --> MsiExec.exe /I{446DBFFA-4088-48E3-8932-74316BA4CAE4}
J2SE Runtime Environment 5.0 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150030}
Java 2 Runtime Environment, SE v1.4.2_05 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142050}
LimeWire 4.10.9 --> "C:\Program Files\LimeWire\uninstall.exe"
Macromedia Flash Player 8 --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\swflash.inf,DefaultUninstall,5
Microsoft ActiveSync 4.0 --> MsiExec.exe /I{B208806F-A231-4FA0-AB3F-5C1B8979223E}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Works --> MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}
mIRC --> C:\Program Files\mIRC\uninstall.exe _?=C:\Program Files\mIRC
Mozilla Firefox (2.0.0.16) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSN --> C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
MSN Toolbar --> C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\mtbs.exe c
Network Monitor --> wscript "C:\WINDOWS\uninstall_nmon.vbs"
Nokia Connectivity Cable Driver --> MsiExec.exe /X{E4DD8B33-6F9B-41C5-96FF-5DBF27ED23E7}
Nokia Lifeblog 2.1 --> MsiExec.exe /I{EE565795-2776-415A-B31C-EB3A8D7C6FA4}
Nokia MTP driver --> MsiExec.exe /I{59359B3D-ABE7-46BF-AB55-43B67A64DC68}
Nokia N73 highlights --> MsiExec.exe /I{02B71D92-A84B-4DFB-9A10-D12BB01AC1F2}
Nokia PC Connectivity Solution --> MsiExec.exe /I{588AA47B-9115-44D3-B2E5-4F10BC659D6C}
Nokia PC Suite --> MsiExec.exe /I{508FA22B-AFFC-46CD-9441-2567976574A4}
Nokia Software Updater --> MsiExec.exe /X{3741689E-584D-40C9-B011-373A0371846D}
Nokia themes for your device --> MsiExec.exe /I{77F5816C-64A6-4FBE-BBE5-52EFE5EB84E8}
Quick Launch Buttons 5.00 C2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CEB326EC-8F40-47B2-BA22-BB092565D66F}\setup.exe" -l0x9 -uninst
QuickTime --> MsiExec.exe /I{50D8FFDD-90CD-4859-841F-AA1961C7767A}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
SoftV92 Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_8086&DEV_24C6&SUBSYS_3080103C\HXFSETUP.EXE -U -Ihpm30805.inf
Steam™ --> C:\PROGRA~1\Steam\UNWISE.EXE C:\PROGRA~1\Steam\INSTALL.LOG
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Texas Instruments PCIxx21/x515 drivers. --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{C569D686-A444-4AF0-A437-15CBB2816E34}
TuneUp Utilities 2008 --> MsiExec.exe /I{5888428E-699C-4E71-BF71-94EE06B497DA}
Ventrilo Client --> MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
VeohTV BETA --> C:\Program Files\InstallShield Installation Information\{D1B11537-EA51-4DD8-BF1E-098BEE48868D}\setup.exe -runfromtemp -l0x0409
VideoLAN VLC media player 0.8.4a --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Windows Driver Package - Nokia Modem (04/06/2006 6.8.0.17) --> C:\PROGRA~1\DIFX\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\nokbtmdm_7F91C37896B530901B0665F9EF32E19FF06F5687\nokbtmdm.inf
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Live Sign-in Assistant --> MsiExec.exe /I{49672EC2-171B-47B4-8CE7-50D7806360D7}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Format SDK Hotfix - KB891122 --> "C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"

-- Application Event Log -------------------------------------------------------
Event Record #/Type23612 / Success
Event Submitted/Written: 08/04/2008 06:28:03 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.
Event Record #/Type23600 / Success
Event Submitted/Written: 08/04/2008 06:03:00 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.
Event Record #/Type23567 / Success
Event Submitted/Written: 08/02/2008 09:19:50 AM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.
Event Record #/Type23559 / Success
Event Submitted/Written: 08/01/2008 08:39:09 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.
Event Record #/Type23526 / Error
Event Submitted/Written: 07/28/2008 03:09:02 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application hpqtra08.exe, version 90.0.146.0, faulting module hpqtra08.exe, version 90.0.146.0, fault address 0x0000bf08.
Processing media-specific event for [hpqtra08.exe!ws!]

-- Security Event Log ----------------------------------------------------------
No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------
Event Record #/Type82839 / Warning
Event Submitted/Written: 08/08/2008 08:09:45 PM / 08/08/2008 08:09:46 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.
Event Record #/Type82814 / Warning
Event Submitted/Written: 08/07/2008 07:53:20 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0012F06B7FCD. The following
error occurred:
%%1223.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.
Event Record #/Type82771 / Warning
Event Submitted/Written: 08/06/2008 06:30:01 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0012F06B7FCD. The following
error occurred:
%%1223.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.
Event Record #/Type82769 / Error
Event Submitted/Written: 08/06/2008 06:28:40 PM
Event ID/Source: 32003 / ipnathlp
Event Description:
The Network Address Translator (NAT) was unable to request an operation
of the kernel-mode translation module.
This may indicate misconfiguration, insufficient resources, or
an internal error.
The data is the error code.
Event Record #/Type82768 / Warning
Event Submitted/Written: 08/06/2008 06:28:36 PM
Event ID/Source: 2504 / Server
Event Description:
The server could not bind to the transport \Device\NetBT_Tcpip_{54B963F2-726C-4C52-92DD-7E0159D4DE61}.

-- End of Deckard's System Scanner: finished at 2008-08-08 20:26:04 ------------
  • 0

#5
Essexboy
Posted 08 August 2008 - 02:59 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
At the moment it is a toss up as to whether there are more Trojan files than MS files.. But lets try and set that to rights

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\QW1lbGlhIFJlZWRz
C:\WINDOWS\mrofinu.exe
C:\Program Files\AV9
C:\WINDOWS\system32\tuvSljkK.dll
C:\WINDOWS\system32\pmnnOEwW.dll
C:\WINDOWS\system32\lljvpeos.dll
C:\WINDOWS\system32\vlpnbeebokph.dll
C:\WINDOWS\system32\ycbirp.dll
C:\Documents and Settings\Greg\lsass.exe
C:\WINDOWS\mrofinu1188.exe 
C:\WINDOWS\system32\ysjvomtx.dll
C:\WINDOWS\system32\slvevmbd.dll
C:\WINDOWS\system32\ieupdates.exe 
C:\WINDOWS\system32\gagiuwbb.exe
C:\WINDOWS\system32\ycbirp.dll
C:\WINDOWS\system32\qlrdwieq.dll
C:\WINDOWS\system32\slvevmbd.dll
C:\WINDOWS\system32\lljvpeos.dll
C:\WINDOWS\system32\jexvcnvp.exe
C:\WINDOWS\system32\mjlieb.dll
C:\WINDOWS\system32\gdmdvvwi.dll
C:\WINDOWS\system32\xwhuagvl.dll
C:\WINDOWS\system32\hvsfssos.dll
C:\WINDOWS\system32\jnlaylqg.dll
C:\WINDOWS\system32\iblwoapx.dll
C:\WINDOWS\system32\wtmgte.dll
C:\WINDOWS\system32\ebwqlkpq.dll
C:\WINDOWS\system32\xeyhefoi.dll
C:\WINDOWS\system32\itibnqtj.dll
C:\WINDOWS\system32\vlpnbeebokph.dll 
C:\WINDOWS\system32\yoxzab.dll
C:\WINDOWS\system32\mfutmlrf.dll
C:\WINDOWS\system32\wneombry.dll
C:\WINDOWS\system32\cvparxsm.dll
C:\WINDOWS\system32\klloonpo.ini2 
C:\WINDOWS\system32\opnoollk.dll
C:\WINDOWS\system32\nisximby.dll
C:\WINDOWS\system32\fqcwzw.dll
C:\WINDOWS\system32\fcgcawws.dll
C:\WINDOWS\system32\sfnnskwm.dll
C:\WINDOWS\system32\esgvemto.dll
C:\WINDOWS\system32\geBUnoLf.dll
C:\WINDOWS\system32\yayaASLE.dll
C:\WINDOWS\system32\jedrok.dll
C:\WINDOWS\system32\rsogwrft.dll
C:\WINDOWS\system32\plsfnwog.dll
C:\WINDOWS\system32\ijgrnbqf.dll
C:\WINDOWS\system32\rgqrxacc.dll
C:\Program Files\iCheck
C:\Program Files\GetPack
C:\WINDOWS\system32\WwEOnnmp.ini2 
C:\WINDOWS\system32\pmnnOEwW.dll
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\uninstall_nmon.vbs
C:\Program Files\Network Monitor
C:\WINDOWS\QW1lbGlhIFJlZWRz
C:\WINDOWS\system32\xhkgjlzisujpnp.exe
C:\WINDOWS\system32\tebg4
C:\WINDOWS\system32\cur2
C:\WINDOWS\system32\kBin02
C:\WINDOWS\system32\urqQgddD.dll
C:\WINDOWS\system32\tuvSljkK.dll
C:\WINDOWS\b148.exe
C:\WINDOWS\b152.exe
C:\Documents and Settings\Greg\lsass.exe
C:\WINDOWS\mrofinu1188.exe
C:\WINDOWS\mrofinu1000106.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{16EC00C6-90B4-4956-BE82-96A007727458}
HKEY_CLASSES_ROOT\CLSID\{16EC00C6-90B4-4956-BE82-96A007727458}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3203C641-8301-4513-9A5A-C815EE3437C3}
HKEY_CLASSES_ROOT\CLSID\{3203C641-8301-4513-9A5A-C815EE3437C3}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{514A5C49-0C7D-42c3-A71B-38864A269B7A}
HKEY_CLASSES_ROOT\CLSID\{514A5C49-0C7D-42c3-A71B-38864A269B7A}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a16acb9e-ecbb-fcf6-850e-265e702ac1fa}
HKEY_CLASSES_ROOT\CLSID\{a16acb9e-ecbb-fcf6-850e-265e702ac1fa}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e827cb59-e9a7-8569-17b4-dd4a88be655e}
HKEY_CLASSES_ROOT\CLSID\{e827cb59-e9a7-8569-17b4-dd4a88be655e}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\LSA Shellu
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\runner1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\{525161ae-1c3a-77c1-2561-1ea790ee1deb}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\4289727e
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\BM41ba41e2
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\39855845889158728651099187833999
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\39855845889158728651099187833999
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\39855845889158728651099187833999
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tuvSljkK
Purity
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

THEN

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Logs required : OTMoveit, Report.txt and a new Hijackthis log

HIJACKTHIS LOG INSTALLATION AND DOWNLOAD INSTRUCTIONS

Download & Run HijackThis.exe

  • Download HJTInstall.exe to your Desktop.
  • Doubleclick HJTInstall.exe to install it.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Copy/Paste the log to your next reply please.
Don't use the Analyse This button, its findings are dangerous if misinterpreted.
Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
  • 0

#6
elreeds
Posted 09 August 2008 - 10:27 AM

elreeds

    Member

  • Topic Starter
  • Member
  • PipPip
  • 63 posts
C:\WINDOWS\QW1lbGlhIFJlZWRz moved successfully.
File/Folder C:\WINDOWS\mrofinu.exe not found.
C:\Program Files\AV9 moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\tuvSljkK.dll
C:\WINDOWS\system32\tuvSljkK.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\tuvSljkK.dll scheduled to be moved on reboot.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\pmnnOEwW.dll
C:\WINDOWS\system32\pmnnOEwW.dll NOT unregistered.
C:\WINDOWS\system32\pmnnOEwW.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\lljvpeos.dll
C:\WINDOWS\system32\lljvpeos.dll NOT unregistered.
C:\WINDOWS\system32\lljvpeos.dll moved successfully.
C:\WINDOWS\system32\vlpnbeebokph.dll unregistered successfully.
C:\WINDOWS\system32\vlpnbeebokph.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\ycbirp.dll
C:\WINDOWS\system32\ycbirp.dll NOT unregistered.
C:\WINDOWS\system32\ycbirp.dll moved successfully.
File/Folder C:\Documents and Settings\Greg\lsass.exe not found.
C:\WINDOWS\mrofinu1188.exe moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\ysjvomtx.dll
C:\WINDOWS\system32\ysjvomtx.dll NOT unregistered.
C:\WINDOWS\system32\ysjvomtx.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\slvevmbd.dll
C:\WINDOWS\system32\slvevmbd.dll NOT unregistered.
C:\WINDOWS\system32\slvevmbd.dll moved successfully.
C:\WINDOWS\system32\ieupdates.exe moved successfully.
C:\WINDOWS\system32\gagiuwbb.exe moved successfully.
File/Folder C:\WINDOWS\system32\ycbirp.dll not found.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\qlrdwieq.dll
C:\WINDOWS\system32\qlrdwieq.dll NOT unregistered.
C:\WINDOWS\system32\qlrdwieq.dll moved successfully.
File/Folder C:\WINDOWS\system32\slvevmbd.dll not found.
File/Folder C:\WINDOWS\system32\lljvpeos.dll not found.
File move failed. C:\WINDOWS\system32\jexvcnvp.exe scheduled to be moved on reboot.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\mjlieb.dll
C:\WINDOWS\system32\mjlieb.dll NOT unregistered.
C:\WINDOWS\system32\mjlieb.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\gdmdvvwi.dll
C:\WINDOWS\system32\gdmdvvwi.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\gdmdvvwi.dll scheduled to be moved on reboot.
LoadLibrary failed for C:\WINDOWS\system32\xwhuagvl.dll
C:\WINDOWS\system32\xwhuagvl.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\xwhuagvl.dll scheduled to be moved on reboot.
LoadLibrary failed for C:\WINDOWS\system32\hvsfssos.dll
C:\WINDOWS\system32\hvsfssos.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\hvsfssos.dll scheduled to be moved on reboot.
LoadLibrary failed for C:\WINDOWS\system32\jnlaylqg.dll
C:\WINDOWS\system32\jnlaylqg.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\jnlaylqg.dll scheduled to be moved on reboot.
LoadLibrary failed for C:\WINDOWS\system32\iblwoapx.dll
C:\WINDOWS\system32\iblwoapx.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\iblwoapx.dll scheduled to be moved on reboot.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\wtmgte.dll
C:\WINDOWS\system32\wtmgte.dll NOT unregistered.
C:\WINDOWS\system32\wtmgte.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\ebwqlkpq.dll
C:\WINDOWS\system32\ebwqlkpq.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\ebwqlkpq.dll scheduled to be moved on reboot.
LoadLibrary failed for C:\WINDOWS\system32\xeyhefoi.dll
C:\WINDOWS\system32\xeyhefoi.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\xeyhefoi.dll scheduled to be moved on reboot.
LoadLibrary failed for C:\WINDOWS\system32\itibnqtj.dll
C:\WINDOWS\system32\itibnqtj.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\itibnqtj.dll scheduled to be moved on reboot.
File/Folder C:\WINDOWS\system32\vlpnbeebokph.dll not found.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\yoxzab.dll
C:\WINDOWS\system32\yoxzab.dll NOT unregistered.
C:\WINDOWS\system32\yoxzab.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\mfutmlrf.dll
C:\WINDOWS\system32\mfutmlrf.dll NOT unregistered.
C:\WINDOWS\system32\mfutmlrf.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\wneombry.dll
C:\WINDOWS\system32\wneombry.dll NOT unregistered.
C:\WINDOWS\system32\wneombry.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\cvparxsm.dll
C:\WINDOWS\system32\cvparxsm.dll NOT unregistered.
C:\WINDOWS\system32\cvparxsm.dll moved successfully.
C:\WINDOWS\system32\klloonpo.ini2 moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\opnoollk.dll
C:\WINDOWS\system32\opnoollk.dll NOT unregistered.
C:\WINDOWS\system32\opnoollk.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\nisximby.dll
C:\WINDOWS\system32\nisximby.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\nisximby.dll scheduled to be moved on reboot.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\fqcwzw.dll
C:\WINDOWS\system32\fqcwzw.dll NOT unregistered.
C:\WINDOWS\system32\fqcwzw.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\fcgcawws.dll
C:\WINDOWS\system32\fcgcawws.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\fcgcawws.dll scheduled to be moved on reboot.
LoadLibrary failed for C:\WINDOWS\system32\sfnnskwm.dll
C:\WINDOWS\system32\sfnnskwm.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\sfnnskwm.dll scheduled to be moved on reboot.
LoadLibrary failed for C:\WINDOWS\system32\esgvemto.dll
C:\WINDOWS\system32\esgvemto.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\esgvemto.dll scheduled to be moved on reboot.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\geBUnoLf.dll
C:\WINDOWS\system32\geBUnoLf.dll NOT unregistered.
C:\WINDOWS\system32\geBUnoLf.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\yayaASLE.dll
C:\WINDOWS\system32\yayaASLE.dll NOT unregistered.
C:\WINDOWS\system32\yayaASLE.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\jedrok.dll
C:\WINDOWS\system32\jedrok.dll NOT unregistered.
C:\WINDOWS\system32\jedrok.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\rsogwrft.dll
C:\WINDOWS\system32\rsogwrft.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\rsogwrft.dll scheduled to be moved on reboot.
LoadLibrary failed for C:\WINDOWS\system32\plsfnwog.dll
C:\WINDOWS\system32\plsfnwog.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\plsfnwog.dll scheduled to be moved on reboot.
LoadLibrary failed for C:\WINDOWS\system32\ijgrnbqf.dll
C:\WINDOWS\system32\ijgrnbqf.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\ijgrnbqf.dll scheduled to be moved on reboot.
LoadLibrary failed for C:\WINDOWS\system32\rgqrxacc.dll
C:\WINDOWS\system32\rgqrxacc.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\rgqrxacc.dll scheduled to be moved on reboot.
C:\Program Files\iCheck moved successfully.
C:\Program Files\GetPack moved successfully.
C:\WINDOWS\system32\WwEOnnmp.ini2 moved successfully.
File/Folder C:\WINDOWS\system32\pmnnOEwW.dll not found.
LoadLibrary failed for C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll NOT unregistered.
C:\WINDOWS\system32\atmtd.dll moved successfully.
C:\WINDOWS\uninstall_nmon.vbs moved successfully.
C:\Program Files\Network Monitor moved successfully.
File/Folder C:\WINDOWS\QW1lbGlhIFJlZWRz not found.
C:\WINDOWS\system32\xhkgjlzisujpnp.exe moved successfully.
C:\WINDOWS\system32\tebg4 moved successfully.
C:\WINDOWS\system32\cur2 moved successfully.
C:\WINDOWS\system32\kBin02 moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\urqQgddD.dll
C:\WINDOWS\system32\urqQgddD.dll NOT unregistered.
C:\WINDOWS\system32\urqQgddD.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\tuvSljkK.dll
C:\WINDOWS\system32\tuvSljkK.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\tuvSljkK.dll scheduled to be moved on reboot.
C:\WINDOWS\b148.exe moved successfully.
C:\WINDOWS\b152.exe moved successfully.
File/Folder C:\Documents and Settings\Greg\lsass.exe not found.
File/Folder C:\WINDOWS\mrofinu1188.exe not found.
C:\WINDOWS\mrofinu1000106.exe moved successfully.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{16EC00C6-90B4-4956-BE82-96A007727458} >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{16EC00C6-90B4-4956-BE82-96A007727458}\\ deleted successfully.
< HKEY_CLASSES_ROOT\CLSID\{16EC00C6-90B4-4956-BE82-96A007727458} >
Registry key HKEY_CLASSES_ROOT\CLSID\{16EC00C6-90B4-4956-BE82-96A007727458}\\ deleted successfully.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3203C641-8301-4513-9A5A-C815EE3437C3} >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3203C641-8301-4513-9A5A-C815EE3437C3}\\ not found.
< HKEY_CLASSES_ROOT\CLSID\{3203C641-8301-4513-9A5A-C815EE3437C3} >
Registry key HKEY_CLASSES_ROOT\CLSID\{3203C641-8301-4513-9A5A-C815EE3437C3}\\ not found.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{514A5C49-0C7D-42c3-A71B-38864A269B7A} >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{514A5C49-0C7D-42c3-A71B-38864A269B7A}\\ deleted successfully.
< HKEY_CLASSES_ROOT\CLSID\{514A5C49-0C7D-42c3-A71B-38864A269B7A} >
Registry key HKEY_CLASSES_ROOT\CLSID\{514A5C49-0C7D-42c3-A71B-38864A269B7A}\\ deleted successfully.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a16acb9e-ecbb-fcf6-850e-265e702ac1fa} >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a16acb9e-ecbb-fcf6-850e-265e702ac1fa}\\ not found.
< HKEY_CLASSES_ROOT\CLSID\{a16acb9e-ecbb-fcf6-850e-265e702ac1fa} >
Registry key HKEY_CLASSES_ROOT\CLSID\{a16acb9e-ecbb-fcf6-850e-265e702ac1fa}\\ not found.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e827cb59-e9a7-8569-17b4-dd4a88be655e} >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e827cb59-e9a7-8569-17b4-dd4a88be655e}\\ not found.
< HKEY_CLASSES_ROOT\CLSID\{e827cb59-e9a7-8569-17b4-dd4a88be655e} >
Registry key HKEY_CLASSES_ROOT\CLSID\{e827cb59-e9a7-8569-17b4-dd4a88be655e}\\ not found.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\LSA Shellu >
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\LSA Shellu deleted successfully.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\runner1 >
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\runner1 deleted successfully.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\{525161ae-1c3a-77c1-2561-1ea790ee1deb} >
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\{525161ae-1c3a-77c1-2561-1ea790ee1deb} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{525161ae-1c3a-77c1-2561-1ea790ee1deb}\ not found.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\4289727e >
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\4289727e deleted successfully.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\BM41ba41e2 >
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\BM41ba41e2 deleted successfully.
< HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\39855845889158728651099187833999 >
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\39855845889158728651099187833999 not found.
< HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\39855845889158728651099187833999 >
Registry value HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\39855845889158728651099187833999 deleted successfully.
< HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\39855845889158728651099187833999 >
Registry value HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\39855845889158728651099187833999 not found.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tuvSljkK >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tuvSljkK\\ deleted successfully.
< Purity >
C:\Program Files\InetGet2 moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08092008_152706

Files moved on Reboot...
DllUnregisterServer procedure not found in C:\WINDOWS\system32\tuvSljkK.dll
C:\WINDOWS\system32\tuvSljkK.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\tuvSljkK.dll scheduled to be moved on reboot.
C:\WINDOWS\system32\jexvcnvp.exe moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\gdmdvvwi.dll
C:\WINDOWS\system32\gdmdvvwi.dll NOT unregistered.
C:\WINDOWS\system32\gdmdvvwi.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\xwhuagvl.dll
C:\WINDOWS\system32\xwhuagvl.dll NOT unregistered.
C:\WINDOWS\system32\xwhuagvl.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\hvsfssos.dll
C:\WINDOWS\system32\hvsfssos.dll NOT unregistered.
C:\WINDOWS\system32\hvsfssos.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\jnlaylqg.dll
C:\WINDOWS\system32\jnlaylqg.dll NOT unregistered.
C:\WINDOWS\system32\jnlaylqg.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\iblwoapx.dll
C:\WINDOWS\system32\iblwoapx.dll NOT unregistered.
C:\WINDOWS\system32\iblwoapx.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\ebwqlkpq.dll
C:\WINDOWS\system32\ebwqlkpq.dll NOT unregistered.
C:\WINDOWS\system32\ebwqlkpq.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\xeyhefoi.dll
C:\WINDOWS\system32\xeyhefoi.dll NOT unregistered.
C:\WINDOWS\system32\xeyhefoi.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\itibnqtj.dll
C:\WINDOWS\system32\itibnqtj.dll NOT unregistered.
C:\WINDOWS\system32\itibnqtj.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\nisximby.dll
C:\WINDOWS\system32\nisximby.dll NOT unregistered.
C:\WINDOWS\system32\nisximby.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\fcgcawws.dll
C:\WINDOWS\system32\fcgcawws.dll NOT unregistered.
C:\WINDOWS\system32\fcgcawws.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\sfnnskwm.dll
C:\WINDOWS\system32\sfnnskwm.dll NOT unregistered.
C:\WINDOWS\system32\sfnnskwm.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\esgvemto.dll
C:\WINDOWS\system32\esgvemto.dll NOT unregistered.
C:\WINDOWS\system32\esgvemto.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\rsogwrft.dll
C:\WINDOWS\system32\rsogwrft.dll NOT unregistered.
C:\WINDOWS\system32\rsogwrft.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\plsfnwog.dll
C:\WINDOWS\system32\plsfnwog.dll NOT unregistered.
C:\WINDOWS\system32\plsfnwog.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\ijgrnbqf.dll
C:\WINDOWS\system32\ijgrnbqf.dll NOT unregistered.
C:\WINDOWS\system32\ijgrnbqf.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\rgqrxacc.dll
C:\WINDOWS\system32\rgqrxacc.dll NOT unregistered.
C:\WINDOWS\system32\rgqrxacc.dll moved successfully.
  • 0

#7
elreeds
Posted 09 August 2008 - 10:42 AM

elreeds

    Member

  • Topic Starter
  • Member
  • PipPip
  • 63 posts
Sorry, I do realise I still need to run another scan and paste the log and also need to do Hijack This, but I'm having serious problems with the internet at the moment on the laptop (so I'm having to write this from my computer). It just won't load web pages and so I can't really get onto this thread due to the pages not loading; therefore it makes it very difficult for me to run the logs as I cannot gain access to them. Please bear with me though. I am trying to do this as fast as possible :)
  • 0

#8
Essexboy
Posted 09 August 2008 - 11:03 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
No problems - just go at a pace that is suitable for you. Soon it will become easier :)
  • 0

#9
elreeds
Posted 09 August 2008 - 11:25 AM

elreeds

    Member

  • Topic Starter
  • Member
  • PipPip
  • 63 posts
I have now installed SDFix, but I cannot find the 'SDFix.exe' but it does have 'catchme.exe'. When I first downloaded it, a box came up saying to just press 'install' and that's what I did. This is the stage I am at right now...shall I now go on to reboot in safe mode? I don't want to do it wrong!
  • 0

#10
Essexboy
Posted 09 August 2008 - 11:29 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
You are getting there - catchme is part of the rootkit detection/removal programme
You are after the bat file not an exe file

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.


  • 0

Advertisements

#11
elreeds
Posted 09 August 2008 - 11:49 AM

elreeds

    Member

  • Topic Starter
  • Member
  • PipPip
  • 63 posts
Thanks. I'm currently running the clean up process now. But I'm also a little worried about this computer too, as I sent something over MSN from the 'infected' laptop to this computer (it was the last log I posted, as the web pages didn't load on the laptop and I wanted to post a reply). When I turned the computer off just now (I admit that I didn't shut it down properly, I just pressed the on/off button because I was in a rush) I very briefly saw a 'rundll' message box that showed up just before the computer switched off. I haven't had any other message boxes since switching the computer back on though and no silly pop-ups or unwanted windows advertising things have come up.

I have just run a complete scan of the computer using 'SUPERAnti Spyware' (which is what you told me to download and keep last time I had a malware issue on this computer). The scan has now finished and a emssage box has come up saying 'You must reboot to complete the removal of the harmful software detected'. Does it mean it has detected the 'rundll' thing?
  • 0

#12
Essexboy
Posted 09 August 2008 - 11:55 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
SAS will not be able to remove that - so if you could post the sdfix report and a new Hijackthis log I will clear that error :)
  • 0

#13
elreeds
Posted 09 August 2008 - 12:24 PM

elreeds

    Member

  • Topic Starter
  • Member
  • PipPip
  • 63 posts
Laptop (computer logs will be done after this)

SDFix: Version 1.214
Run by Erin on 09/08/2008 at 18:43

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
cmdService
Network Monitor

Path :
C:\WINDOWS\QW1lbGlhIFJlZWRz\command.exe
C:\Program Files\Network Monitor\netmon.exe service

cmdService - Deleted
Network Monitor - Deleted



Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\tuvSljkK.dll - Deleted
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt - Deleted
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt - Deleted
C:\Temp\1cb\syscheck.log - Deleted
C:\Program Files\mjc\mjc.exe - Deleted
C:\WINDOWS\system32\atmtd.dll._ - Deleted
C:\WINDOWS\system32\pac.txt - Deleted
C:\WINDOWS\system32\scui.cpl - Deleted
C:\WINDOWS\system32\winsrc.dll - Deleted



Folder C:\Program Files\mjc - Removed
Folder C:\Documents and Settings\LocalService\Application Data\NetMon - Removed
Folder C:\Temp\1cb - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-09 19:05:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:00000130
"TracesSuccessful"=dword:00000007

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AOL 9.0\\waol.exe"="C:\\Program Files\\AOL 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"C:\\Documents and Settings\\Greg\\My Documents\\My Downlads\\SPStudio\\SPStudio.exe"="C:\\Documents and Settings\\Greg\\My Documents\\My Downlads\\SPStudio\\SPStudio.exe:*:Enabled:SmartPhone Studio"
"C:\\Program Files\\burst\\core-new1.1.3\\btdownloadheadless.exe"="C:\\Program Files\\burst\\core-new1.1.3\\btdownloadheadless.exe:*:Enabled:burst! download engine"
"C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\Program Files\\Steam\\SteamApps\\[email protected]\\counter-strike\\hl.exe"="C:\\Program Files\\Steam\\SteamApps\\[email protected]\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\RSSoft\\RSEDNClient.exe"="C:\\Program Files\\RSSoft\\RSEDNClient.exe:*:Enabled:RSEDNClient"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Kontiki\\KService.exe"="C:\\Program Files\\Kontiki\\KService.exe:*:Enabled:Delivery Manager Service"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"="C:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe:*:Enabled:Nokia Service Layer Host Process "
"C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"="C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe:*:Enabled:Nokia Software Updater"
"D:\\setup\\HPZNUI01.EXE"="D:\\setup\\HPZNUI01.EXE:*:Enabled:hpznui01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"
"C:\\Documents and Settings\\Greg\\Local Settings\\Temp\\WZSE0.TMP\\SymNRT.exe"="C:\\Documents and Settings\\Greg\\Local Settings\\Temp\\WZSE0.TMP\\SymNRT.exe:*:Enabled:Symantec Removal Utility"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:ćTorrent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Tue 13 Jun 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 16 Feb 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Tue 15 Jul 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Wed 7 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\385cb67dda0ffd4dea8c0d990dc65796\BIT16.tmp"
Tue 16 Oct 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fe95c915e785c18bf9cc0792fb5a73df\BIT26.tmp"
Tue 13 Jun 2006 4,348 ...H. --- "C:\Documents and Settings\Erin\My Documents\My Music\License Backup\drmv1key.bak"
Tue 13 Jun 2006 20 A..H. --- "C:\Documents and Settings\Erin\My Documents\My Music\License Backup\drmv1lic.bak"
Tue 21 Jun 2005 312 A.SH. --- "C:\Documents and Settings\Erin\My Documents\My Music\License Backup\drmv2key.bak"
Tue 2 Aug 2005 187,904 A.SHR --- "C:\_OTMoveIt\MovedFiles\08092008_152706\WINDOWS\QW1lbGlhIFJlZWRz\asappsrv.dll"
Tue 2 Aug 2005 293,888 A.SHR --- "C:\_OTMoveIt\MovedFiles\08092008_152706\WINDOWS\QW1lbGlhIFJlZWRz\command.exe"

Finished!

HijackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:23:26, on 09/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Kontiki\KHost.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...o&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...o&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...o&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.c...NWLobUOZUBItbg=
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.h...a...o&pf=laptop
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [4289727e] rundll32.exe "C:\WINDOWS\system32\vssqpkub.dll",b
O4 - HKLM\..\Run: [BM41ba41e2] Rundll32.exe "C:\WINDOWS\system32\xjekdsmp.dll",s
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ieupdate] "C:\WINDOWS\system32\ieupdates.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q105&bd=presario&pf=laptop
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://www.ysbweb.co...ysb_regular.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebo...toUploader3.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.reds.../113/rssoft.cab
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 6192 bytes
  • 0

#14
Essexboy
Posted 09 August 2008 - 12:37 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts

Laptop (computer logs will be done after this)

So I am doing two computers ?

If so to stop confusion on my part we will cure one at a time, as they may well need different fixes

First the laptop

First you have to download an antivirus. This program is basic for the security of your computer and in todays age not having one will probably lead to disaster for your computer.

Please go HERE and download avast! 4 Home Edition to your desktop. Locate the file that you just downloaded, double-click on the file to launch the installation of avast!

Click Next on the avast! Setup window and on the next window with the ReadMe File.
Now you will see the Legal Agreement, just click I agree, and then click Next to continue.

You will be prompted with Configuration window, make sure that you choose Typical configuration and then click Next. Click Next to the windows that will follow, when the installation will finish, you will be given an option to schedule a boot time scan, select No

Now you have to restart your machine, select Restart and then click Finish.

After you restart you will get a message about avast! it will give you the general "Hello and Thank you for choosing our Product." Also after you restart you will notice 2 new icons in the bottom right corner of the screen.

VERY IMPORTANT - after restarting, right click on the a in the taskbar and select Updating, then highlight and click Program.

You will get popup after its done updating. If avast! had to download anything for your computer you may get a message asking you to restart.

After you have updated avast! right click the small icon a in task bar and click Start Avast! AntiVirus

Click Program Registration and you will be taken to their website. Fill out the form and then check you e-mail. Once you get an e-mail from them (usually about 1 minute after submitting the form) copy and paste the serial they provided into the highlighted box. Then click ok.

After this, you will need to Schedule Boot-Time Scan with avast! Click on the little button placed up in the left corner, and select Schedule Boot-Time Scan. Read also this tutorial HERE it may make it easier to you to follow the steps.

Next, choose
  • Scan all local disks
  • scan archive files
  • click on Schedule
On the next dialog Operating system restart needed select Yes
Now avast! will restart your computer and start to scan before Windows fully loads.

IMPORTANT NOTE since your system has infections on it, avast! will give you dialog box with recommended actions, and options, please make sure if this happens, to click the Move to Chest button, and not to delete any reported files.

The boot log will be located here C:\Program Files\Alwil Software\Avast4\DATA\report\AswBoot.txt

Having done that repost a DSS scan from the Laptop

If it allready has DSS on it then

click on Start, click on Run
copy and paste the following in bold in the open window and then click OK
"%userprofile%\desktop\dss.exe" /config
This will open up DSS configuration
click on Check All
click Scan
DSS will now run again when finished
Please post back both logs that open in notepad
Main txt and extra txt

IF it does not have DSS on it then

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#15
elreeds
Posted 09 August 2008 - 12:44 PM

elreeds

    Member

  • Topic Starter
  • Member
  • PipPip
  • 63 posts
Computer scans Just using different colours to make it easier to distinguish between the two systems. Black writing = laptop. Purple = computer

SDFix: Version 1.214
Run by Owner on 09/08/2008 at 19:18

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\SYSTEM32\KIUJNNQ.EXE - Deleted
C:\WINDOWS\SYSTEM32\IALMCOIN.DLL - Deleted
C:\WINDOWS\smdat32a.sys - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-09 19:27:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\Kontiki\\KService.exe"="C:\\Program Files\\Kontiki\\KService.exe:*:Enabled:Delivery Manager Service"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 25 Oct 2003 196 A.SHR --- "C:\BOOT.BAK"
Mon 27 Oct 2003 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 19 Apr 2006 782 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv15.bak"
Mon 6 Dec 2004 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv17.bak"
Sat 30 Oct 2004 773 A..H. --- "C:\Program Files\InterActual\InterActual Player\iti371.tmp"
Fri 1 Jun 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Tue 12 Apr 2005 26,112 ...H. --- "C:\Documents and Settings\Owner\My Documents\Erin\~WRL0005.tmp"
Tue 28 Jun 2005 30,208 ...H. --- "C:\Documents and Settings\Owner\My Documents\Erin\~WRL0112.tmp"
Tue 8 Mar 2005 57,856 ...H. --- "C:\Documents and Settings\Owner\My Documents\Erin\~WRL0671.tmp"
Tue 28 Jun 2005 30,208 ...H. --- "C:\Documents and Settings\Owner\My Documents\Erin\~WRL0984.tmp"
Tue 8 Mar 2005 57,344 ...H. --- "C:\Documents and Settings\Owner\My Documents\Erin\~WRL1021.tmp"
Mon 7 Mar 2005 54,272 ...H. --- "C:\Documents and Settings\Owner\My Documents\Erin\~WRL3602.tmp"
Tue 29 Jul 2008 3,030,568 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0d3b5d19cc06db007bbe6584808bfa9e\BIT32.tmp"
Mon 27 Oct 2003 4,348 ...H. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv1key.bak"
Wed 19 Apr 2006 782 A..H. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv1lic.bak"
Mon 27 Oct 2003 312 A.SH. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv2key.bak"

Finished!

HijackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:41:23, on 09/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Kontiki\KService.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\notepad.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\utility.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,;*.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - HKCU\..\Run: [ctfmon] C:\WINDOWS\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Belkin 802.11g Wireless PCI Card Configuration Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.btinternet.com/
O16 - DPF: RaptisoftGameLoader - http://www.miniclip....tgameloader.cab
O16 - DPF: Yahoo! Graffiti - http://download.game...ts/y/grt5_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebo...toUploader5.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...MineSweeper.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://host.cycore.n...E_5.3.0.228.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/...2/OCI/setup.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.co...83/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1147629406640
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://E:\SuperCD\IntraLaunch.CAB
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoe...ggPublisher.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.co...,20/mcgdmgr.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.on...e/en/crlocx.ocx
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...ireShowdown.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 12380 bytes
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP