1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Black screen with Ip Address

Discussion in 'Virus & Other Malware Removal' started by Punker1234, Nov 6, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. Punker1234

    Punker1234 Thread Starter

    Joined:
    May 6, 2006
    Messages:
    124
    Hello. I'm still having problems with my computer and its getting worse. I can't even browse without closing a few popups every minute or so. My background is now changed to a black screen that says "Warning! Spyware thread has been detected on your PC." I also get little bubbles like the windows bubbles for updates. Please help, my computer has bnen rendered useless for 3 days now. I've ran Hijackthis log for you Thank you!

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 5:41:28 PM, on 11/6/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\quofmfhx.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Electronic Arts\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe
    C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
    C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\vvgeowbv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SkyTel.EXE
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Program Files\DU Meter\DUMeter.exe
    C:\Program Files\DAEMON Tools\daemon.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\winshow.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\WinAble\winable.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\Jeff\Desktop\HiJackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\vvgeowbv.exe,C:\WINDOWS\system32\userinit.exe
    O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\kebfgsgk.dll
    O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
    O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
    O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
    O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\JMRaidSetup.exe boot
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [winshow] "C:\WINDOWS\winshow.exe"
    O4 - HKLM\..\Run: [{04-4D-D0-03-ZN}] C:\Documents and Settings\Jeff\Local Settings\Temp\T0CHD001.exe CHD001
    O4 - HKLM\..\Run: [bc204dac] rundll32.exe "C:\WINDOWS\system32\qfawktwt.dll",b
    O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
    O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
    O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe
    O4 - Startup: TA_Start.lnk = C:\Documents and Settings\Jeff\Local Settings\Temp\T0CHD001.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\AIM\aim.exe
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159777509576
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159777470951
    O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\quofmfhx.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PunkBuster (PnkBstrA) - Unknown owner - C:\Program Files\Electronic Arts\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
    O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
    O24 - Desktop Component 0: (no name) - C:\Program Files\Microsoft IntelliPoint\profsyrtym.html

    --
    End of file - 6977 bytes
     
  2. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Hi, Punker1234 :)

    Welcome to the forum.

    Please download the OTMoveIt by OldTimer.
    • Save it to your desktop.

    Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\vvgeowbv.exe,C:\WINDOWS\system32\userinit.exe
    O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\kebfgsgk.dll
    O4 - HKLM\..\Run: [winshow] "C:\WINDOWS\winshow.exe"
    O4 - HKLM\..\Run: [{04-4D-D0-03-ZN}] C:\Documents and Settings\Jeff\Local Settings\Temp\T0CHD001.exe CHD001
    O4 - HKLM\..\Run: [bc204dac] rundll32.exe "C:\WINDOWS\system32\qfawktwt.dll",b
    O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe
    O4 - Startup: TA_Start.lnk = C:\Documents and Settings\Jeff\Local Settings\Temp\T0CHD001.exe


    Now close all windows and browsers, other than HiJackThis, then click Fix Checked.

    Close Hijackthis.
    • Please double-click OTMoveIt.exe to run it.
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

      C:\WINDOWS\system32\vvgeowbv.exe
      C:\WINDOWS\system32\kebfgsgk.dll
      C:\WINDOWS\system32\qfawktwt.dll
      C:\Documents and Settings\Jeff\Local Settings\Temp\T0CHD001.exe
      C:\Program Files\WinAble
      c:\windows\system32\ldcore.dll
      C:\Documents and Settings\Jeff\start menu\programs\startup\TA_Start.lnk


    • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
    • Click the red Moveit! button.
      • If able, copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on a note pad document. Save it on the desktop and post its contents in your next reply.
    • Close OTMoveIt
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Close any open browsers.
    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      -----------------------------------------------------------​
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
        -----------------------------------------------------------​
    3. Double click on combofix.exe & follow the prompts.
    4. When finished, it will produce a report for you.
    5. Please post the "C:\ComboFix.txt" on your next reply.
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Download and scan with SUPERAntiSpyware Free for Home Users
    • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
    • An icon will be created on your desktop. Double-click that icon to launch the program.
    • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
    • Under "Configuration and Preferences", click the Preferences button.
    • Click the Scanning Control tab.
    • Under Scanner Options make sure the following are checked (leave all others unchecked):
      • Close browsers before scanning.
      • Scan for tracking cookies.
      • Terminate memory threats before quarantining.
    • Click the "Close" button to leave the control center screen.
    • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
    • On the left, make sure you check C:\Fixed Drive.
    • On the right, under "Complete Scan", choose Perform Complete Scan.
    • Click "Next" to start the scan. Please be patient while it scans your computer.
    • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
    • Make sure everything has a checkmark next to it and click "Next".
    • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
    • If asked if you want to reboot, click "Yes".
    • To retrieve the removal information after reboot, launch SUPERAntispyware again.
      • Click Preferences, then click the Statistics/Logs tab.
      • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
      • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
      • Please copy and paste the Scan Log results in your next reply along with a Hijackthis log.
    • Click Close to exit the program.
     
  3. Punker1234

    Punker1234 Thread Starter

    Joined:
    May 6, 2006
    Messages:
    124
    Thank you for the help sir! I have all the logs for you. It seems for the most part that the pop-ups have stopped, but my background is still black with the IP address. I know we're far from done, but maybe that helps to have a little info. Logs below.

    Move it log.

    C:\WINDOWS\system32\vvgeowbv.exe moved successfully.
    C:\WINDOWS\system32\kebfgsgk.dll unregistered successfully.
    File move failed. C:\WINDOWS\system32\kebfgsgk.dll scheduled to be moved on reboot.
    DllUnregisterServer procedure not found in C:\WINDOWS\system32\qfawktwt.dll
    C:\WINDOWS\system32\qfawktwt.dll NOT unregistered.
    C:\WINDOWS\system32\qfawktwt.dll moved successfully.
    C:\Documents and Settings\Jeff\Local Settings\Temp\T0CHD001.exe moved successfully.
    C:\Program Files\WinAble moved successfully.
    DllUnregisterServer procedure not found in c:\windows\system32\ldcore.dll
    c:\windows\system32\ldcore.dll NOT unregistered.
    c:\windows\system32\ldcore.dll moved successfully.
    File/Folder C:\Documents and Settings\Jeff\start menu\programs\startup\TA_Start.lnk not found.

    Created on 11/06/2007 20:15:17


    Combofix


    ComboFix 07-11-07.3 - Jeff 2007-11-06 20:20:50.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1468 [GMT -8:00]
    Running from: C:\Documents and Settings\Jeff\Desktop\ComboFix.exe
    * Created a new restore point
    .

    Unable to gain System Privileges

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin.zip
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin1.zip
    C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
    C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
    C:\Documents and Settings\Jeff\Desktop\Live Safety Center.lnk
    C:\Documents and Settings\Jeff\Desktop\Online Security Guide.lnk
    C:\Documents and Settings\Jeff\Favorites\Online Security Guide.lnk
    C:\Program Files\3721
    C:\Program Files\3721\assist\asbar.dll
    C:\Program Files\3721\helper.dll
    C:\Program Files\Accoona
    C:\Program Files\Accoona\ASearchAssist.dll
    C:\Program Files\akl
    C:\Program Files\akl\akl.dll
    C:\Program Files\akl\akl.exe
    C:\Program Files\akl\curlog.htm
    C:\Program Files\akl\keylog.txt
    C:\Program Files\akl\readme.txt
    C:\Program Files\akl\uninstall.exe
    C:\Program Files\akl\unsetup.dat
    C:\Program Files\akl\unsetup.exe
    C:\Program Files\amsys
    C:\Program Files\amsys\awmsg.dat
    C:\Program Files\amsys\guid.dat
    C:\Program Files\amsys\ijl15.dll
    C:\Program Files\amsys\mfc42.dll
    C:\Program Files\amsys\msvcrt.dll
    C:\Program Files\amsys\unins000.dat
    C:\Program Files\amsys\unis000.exe
    C:\Program Files\amsys\winam.dat
    C:\Program Files\Common Files\Yazzle1549OinAdmin.exe
    C:\Program Files\Common Files\Yazzle1549OinUninstaller.exe
    C:\Program Files\e-zshopper
    C:\Program Files\e-zshopper\BarLcher.dll
    C:\Program Files\Microsoft IntelliPoint\lavugas.dll
    C:\Program Files\Microsoft IntelliPoint\lavugas157.dll
    C:\Program Files\Microsoft IntelliPoint\lavugas196.dll
    C:\Program Files\Microsoft IntelliPoint\lavugas202.dll
    C:\Program Files\Microsoft IntelliPoint\lavugas338.dll
    C:\Program Files\Microsoft IntelliPoint\profsyrtym.html
    C:\Program Files\p2pnetworks
    C:\Program Files\p2pnetworks\amp2pl.exe
    C:\Program Files\Temporary
    C:\Program Files\Temporary\wininstall.exe
    C:\Temp\1cb
    C:\Temp\1cb\syscheck.log
    C:\temp\tn3
    C:\WINDOWS\764.exe
    C:\WINDOWS\7search.dll
    C:\WINDOWS\aconti.exe
    C:\WINDOWS\adbar.dll
    C:\WINDOWS\b122.exe
    C:\WINDOWS\cbinst$.exe
    C:\WINDOWS\cookies.ini
    C:\WINDOWS\daxtime.dll
    C:\WINDOWS\dp0.dll
    C:\WINDOWS\eventlowg.dll
    C:\WINDOWS\fhfmm-Uninstaller.exe
    C:\WINDOWS\fhfmm.exe
    C:\WINDOWS\flt.dll
    C:\WINDOWS\hcwprn.exe
    C:\WINDOWS\hotporn.exe
    C:\WINDOWS\ie_32.exe
    C:\WINDOWS\iexplorr23.dll
    C:\WINDOWS\jd2002.dll
    C:\WINDOWS\kkcomp$.exe
    C:\WINDOWS\kkcomp.dll
    C:\WINDOWS\kkcomp.exe
    C:\WINDOWS\kvnab$.exe
    C:\WINDOWS\kvnab.dll
    C:\WINDOWS\kvnab.exe
    C:\WINDOWS\liqad$.exe
    C:\WINDOWS\liqad.dll
    C:\WINDOWS\liqad.exe
    C:\WINDOWS\liqui-Uninstaller.exe
    C:\WINDOWS\liqui.dll
    C:\WINDOWS\liqui.exe
    C:\WINDOWS\ngd.dll
    C:\WINDOWS\pbar.dll
    C:\WINDOWS\pbsysie.dll
    C:\WINDOWS\settn.dll
    C:\WINDOWS\spredirect.dll
    C:\WINDOWS\system32\.exe
    C:\WINDOWS\system32\a1
    C:\WINDOWS\system32\drivers\blank.gif
    C:\WINDOWS\system32\drivers\box_1.gif
    C:\WINDOWS\system32\drivers\box_2.gif
    C:\WINDOWS\system32\drivers\box_3.gif
    C:\WINDOWS\system32\drivers\button_buynow.gif
    C:\WINDOWS\system32\drivers\button_freescan.gif
    C:\WINDOWS\system32\drivers\cell_bg.gif
    C:\WINDOWS\system32\drivers\cell_footer.gif
    C:\WINDOWS\system32\drivers\cell_header_block.gif
    C:\WINDOWS\system32\drivers\cell_header_remove.gif
    C:\WINDOWS\system32\drivers\cell_header_scan.gif
    C:\WINDOWS\system32\drivers\core.cache.dsk
    C:\WINDOWS\system32\drivers\core.sys
    C:\WINDOWS\system32\drivers\detect.htm
    C:\WINDOWS\system32\drivers\download_box.gif
    C:\WINDOWS\system32\drivers\download_btn.jpg
    C:\WINDOWS\system32\drivers\download_now_btn.gif
    C:\WINDOWS\system32\drivers\footer_back.jpg
    C:\WINDOWS\system32\drivers\header_1.gif
    C:\WINDOWS\system32\drivers\header_2.gif
    C:\WINDOWS\system32\drivers\header_3.gif
    C:\WINDOWS\system32\drivers\header_4.gif
    C:\WINDOWS\system32\drivers\header_red_bg.gif
    C:\WINDOWS\system32\drivers\header_red_free_scan.gif
    C:\WINDOWS\system32\drivers\header_red_free_scan_bg.gif
    C:\WINDOWS\system32\drivers\header_red_protect_your_pc.gif
    C:\WINDOWS\system32\drivers\infected.gif
    C:\WINDOWS\system32\drivers\main_back.gif
    C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
    C:\WINDOWS\system32\drivers\product_1_header.gif
    C:\WINDOWS\system32\drivers\product_1_name_small.gif
    C:\WINDOWS\system32\drivers\product_2_header.gif
    C:\WINDOWS\system32\drivers\product_2_name_small.gif
    C:\WINDOWS\system32\drivers\product_3_header.gif
    C:\WINDOWS\system32\drivers\product_3_name_small.gif
    C:\WINDOWS\system32\drivers\product_features.gif
    C:\WINDOWS\system32\drivers\pt.htm
    C:\WINDOWS\system32\drivers\rating.gif
    C:\WINDOWS\system32\drivers\s_detect.htm
    C:\WINDOWS\system32\drivers\screenshot.jpg
    C:\WINDOWS\system32\drivers\sep_hor.gif
    C:\WINDOWS\system32\drivers\sep_vert.gif
    C:\WINDOWS\system32\drivers\shadow.jpg
    C:\WINDOWS\system32\drivers\shadow_bg.gif
    C:\WINDOWS\system32\drivers\spacer.gif
    C:\WINDOWS\system32\drivers\spy_away_box.jpg
    C:\WINDOWS\system32\drivers\star.gif
    C:\WINDOWS\system32\drivers\star_gray.gif
    C:\WINDOWS\system32\drivers\star_gray_small.gif
    C:\WINDOWS\system32\drivers\star_small.gif
    C:\WINDOWS\system32\drivers\style.css
    C:\WINDOWS\system32\drivers\v.gif
    C:\WINDOWS\system32\drivers\warning_icon.gif
    C:\WINDOWS\system32\drivers\win_logo.gif
    C:\WINDOWS\system32\drivers\x.gif
    C:\WINDOWS\system32\ESHOPEE.exe
    C:\WINDOWS\system32\FTPx.dll
    C:\WINDOWS\system32\g2
    C:\WINDOWS\system32\g2\caws83122.exe
    C:\WINDOWS\system32\hjkmp.bak1
    C:\WINDOWS\system32\hjkmp.bak2
    C:\WINDOWS\system32\hjkmp.ini
    C:\WINDOWS\system32\hjkmp.ini2
    C:\WINDOWS\system32\hjkmp.tmp
    C:\WINDOWS\system32\kebfgsgk.dllbox
    C:\WINDOWS\system32\ldcore.dll
    C:\WINDOWS\system32\ldinfo.ldr
    C:\WINDOWS\system32\msnav32.ax
    C:\WINDOWS\system32\msole32.exe
    C:\WINDOWS\system32\pac.txt
    C:\WINDOWS\system32\pmkjh.dll
    C:\WINDOWS\system32\r2
    C:\WINDOWS\system32\r2\wr31drs.exe
    C:\WINDOWS\system32\uudixkak.exe
    C:\WINDOWS\system32\v8
    C:\WINDOWS\system32\v8\taldrvr11.exe
    C:\WINDOWS\system32\vxddsk.exe
    C:\WINDOWS\system32\wml.exe
    C:\WINDOWS\tk58.exe
    C:\WINDOWS\TTC-4444.exe
    C:\WINDOWS\vxddsk.exe
    C:\WINDOWS\wbeCheck.exe
    C:\WINDOWS\wbeInst$.exe
    C:\WINDOWS\winshow.exe
    C:\WINDOWS\wml.exe
    C:\WINDOWS\xadbrk.dll
    C:\WINDOWS\xadbrk.exe
    C:\WINDOWS\xadbrk_.exe
    C:\WINDOWS\xxxvideo.exe

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

    .
    -------\LEGACY_CMDSERVICE
    -------\LEGACY_CORE
    -------\LEGACY_DOMAINSERVICE
    -------\LEGACY_NETWORK_MONITOR
    -------\core
    -------\DomainService


    ((((((((((((((((((((((((( Files Created from 2007-10-07 to 2007-11-07 )))))))))))))))))))))))))))))))
    .

    2007-11-06 20:17 71,232 --a------ C:\WINDOWS\system32\mpcpcsfg.exe
    2007-11-06 17:49 87,104 --a------ C:\WINDOWS\system32\cgsramdt.dll
    2007-11-06 17:46 81,472 --a------ C:\WINDOWS\system32\vjqijkuk.dll
    2007-11-06 17:38 71,232 --a------ C:\WINDOWS\system32\ymqydmbo.exe
    2007-11-05 23:18 81,472 --a------ C:\WINDOWS\system32\fykuiifj.dll
    2007-11-05 19:16 83,008 --a------ C:\WINDOWS\system32\wwgmimcv.dll
    2007-11-05 19:10 85,568 --a------ C:\WINDOWS\system32\gxgvgcqp.dll
    2007-11-05 19:07 75,328 --a------ C:\WINDOWS\system32\quofmfhx.exe
    2007-11-05 19:04 340,032 --a------ C:\WINDOWS\system32\futpgmvu.dll
    2007-11-04 22:59 30,720 --a------ C:\WINDOWS\system32\ace16win.dll
    2007-11-04 22:50 90 --ah----- C:\aaw7boot.cmd
    2007-11-04 13:53 18,432 --a------ C:\WINDOWS\fkwggshm.exe
    2007-11-04 13:38 4 --a------ C:\WINDOWS\system32\stfv.bin
    2007-11-04 13:35 <DIR> d-------- C:\WINDOWS\system32\acespy
    2007-11-04 13:15 43,065 --a------ C:\WINDOWS\acdt-pid72.exe
    2007-11-04 13:15 21,504 --a------ C:\WINDOWS\system32\aivskurq.dll
    2007-11-04 13:15 12 --a------ C:\WINDOWS\system32\dpqaqlqx.bin
    2007-11-04 13:12 <DIR> d-------- C:\WINDOWS\system32\Mz08r
    2007-11-04 13:12 <DIR> d--hs---- C:\WINDOWS\SmVmZiBMb21iYXJkaQ
    2007-11-04 13:12 <DIR> d-------- C:\temp\mZOr
    2007-11-04 13:12 36,352 --a------ C:\WINDOWS\system32\tuvsrpm.dll
    2007-11-04 13:12 35,840 --a------ C:\WINDOWS\mrofinu77.exe
    2007-10-31 20:53 <DIR> d-------- C:\Documents and Settings\Jeff\Application Data\Codemasters
    2007-10-27 23:48 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
    2007-10-27 23:48 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll
    2007-10-27 23:48 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll
    2007-10-27 23:48 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll
    2007-10-27 23:48 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll
    2007-10-27 23:48 267,112 --a------ C:\WINDOWS\system32\xactengine2_9.dll
    2007-10-26 22:37 <DIR> d-------- C:\Documents and Settings\Jeff\Application Data\SystemRequirementsLab
    2007-10-26 22:01 <DIR> d-------- C:\Program Files\NVTray
    2007-10-26 21:59 <DIR> d-------- C:\Program Files\NVIDIA Corporation
    2007-10-26 17:35 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
    2007-10-26 17:35 1,358,192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll
    2007-10-26 17:35 444,776 --a------ C:\WINDOWS\system32\d3dx10_35.dll
    2007-10-18 22:54 <DIR> d-------- C:\Program Files\Flagship Studios
    2007-10-18 22:50 <DIR> d-------- C:\demo
    2007-10-18 22:47 <DIR> d-------- C:\Hellgate London Demo Setup
    2007-10-12 18:02 <DIR> d-------- C:\Program Files\Activision
    2007-10-10 20:07 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
    2007-10-10 17:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Age of Empires 3 YPack Trial

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-11-07 04:25 --------- d-----w C:\Program Files\ABIT
    2007-11-07 04:22 --------- d-----w C:\Program Files\Microsoft IntelliPoint
    2007-11-05 06:55 --------- d-----w C:\Program Files\Codemasters
    2007-11-04 21:30 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
    2007-11-04 21:30 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
    2007-11-02 02:03 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
    2007-10-28 23:52 7,424,992 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
    2007-10-28 08:30 --------- d-----w C:\Program Files\Viewpoint
    2007-10-28 08:30 --------- d-----w C:\Program Files\AIM6
    2007-10-28 08:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
    2007-10-28 08:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
    2007-10-28 08:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
    2007-10-28 03:46 --------- d-----w C:\Documents and Settings\Jeff\Application Data\IGN_DLM
    2007-10-27 01:33 --------- d-----w C:\Program Files\Electronic Arts
    2007-10-15 03:04 --------- d-----w C:\Program Files\Microsoft Games
    2007-10-14 20:03 --------- d-----w C:\Program Files\Java
    2007-10-13 02:40 --------- d-----w C:\Program Files\DivX
    2007-10-13 02:03 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2007-10-10 03:06 --------- d-----w C:\Program Files\Sierra Entertainment
    2007-10-07 20:32 --------- d-----w C:\Program Files\CompuServe 7.0
    2007-09-30 21:08 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
    2007-09-30 21:08 --------- d-----w C:\Documents and Settings\Jeff\Application Data\InstallShield
    2007-09-30 21:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\InstallShield
    2007-09-30 21:07 --------- d-----w C:\Program Files\Common Files\InstallShield
    2007-09-30 21:04 --------- d-----w C:\Program Files\Ubisoft
    2007-09-30 00:22 --------- d-----w C:\Documents and Settings\Jeff\Application Data\Bioshock
    2007-09-28 16:07 43,528 ----a-w C:\WINDOWS\system32\drivers\PxHelp20.sys
    2007-09-17 08:05 --------- d-----w C:\Documents and Settings\Jeff\Application Data\.BitTornado
    2007-09-16 21:32 --------- d-----w C:\Documents and Settings\Jeff\Application Data\Viewpoint
    2007-09-15 22:54 --------- d-----w C:\Program Files\Common Files\AOL
    2007-09-15 22:54 --------- d-----w C:\Documents and Settings\Jeff\Application Data\acccore
    2007-09-15 22:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
    2007-09-08 02:10 --------- d-----w C:\Program Files\EA Sports
    2007-01-31 01:59 1 ----a-w C:\Documents and Settings\Jeff\SI.bin
    2005-07-30 00:24:26 472 --sha-r C:\WINDOWS\SmVmZiBMb21iYXJkaQ\mApAt21gvZY2srL4uk.vbs
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000000-d9e3-4bc6-a0bd-3d0ca4be5271}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000012-890e-4aac-afd9-eff6954a34dd}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06dfedaa-6196-11d5-bfc8-00508b4a487d}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0A6CEAD9-AEE3-44CA-8CE9-7376006447C6}]
    2007-08-02 05:43 282624 --a------ C:\Program Files\ABIT\hokem83122.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0A9F6EE9-EB99-4D4F-805E-A7F84F1880A6}]
    2007-08-02 05:43 282624 --a------ C:\Program Files\ABIT\hokem555077.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1adbcce8-cf84-441e-9b38-afc7a19c06a4}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3E862745-1DFE-498A-896F-EA620817210C}]
    2007-08-02 05:43 282624 --a------ C:\Program Files\ABIT\hokem4444.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51641ef3-8a7a-4d84-8659-b0911e947cc8}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53C330D6-A4AB-419B-B45D-FD4411C1FEF4}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{634BBAB7-3F60-4426-944F-A62B9007F67F}]
    2007-11-04 13:12 36352 --a------ C:\WINDOWS\system32\tuvsrpm.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{669695bc-a811-4a9d-8cdf-ba8c795f261e}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{944864a5-3916-46e2-96a9-a2e84f3f1208}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A6E432B4-D4C2-43B3-BF55-C364F8F7362A}]
    2007-11-04 13:15 21504 --a------ C:\WINDOWS\system32\aivskurq.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ad5c108d-fbd0-4ed1-bf62-7932c7d7f52f}]
    2007-11-06 17:46 81472 --a------ C:\WINDOWS\system32\vjqijkuk.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b8875bfe-b021-11d4-bfa8-00508b8e9bd3}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ca1d1b05-9c66-11d5-a009-000103c1e50b}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SkyTel"="SkyTel.EXE" [2006-04-23 23:20 C:\WINDOWS\SkyTel.exe]
    "IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2005-12-04 15:39]
    "DU Meter"="C:\Program Files\DU Meter\DUMeter.exe" [2005-02-01 18:28]
    "DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-09-14 12:09]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
    "PCTVOICE"="pctspk.exe" [2003-07-17 12:01 C:\WINDOWS\system32\pctspk.exe]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-28 15:52]
    "nwiz"="nwiz.exe" [2007-10-28 15:52 C:\WINDOWS\system32\nwiz.exe]
    "IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-05-11 10:47]
    "36X Raid Configurer"="C:\WINDOWS\system32\JMRaidSetup.exe" [2006-11-16 16:05]
    "RTHDCPL"="RTHDCPL.EXE" [2006-05-03 23:59 C:\WINDOWS\RTHDCPL.EXE]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 14:57]
    "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-28 15:52]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "igndlm.exe"="C:\Program Files\IGN\Download Manager\DLM.exe" [2007-03-05 13:57]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24]
    "Aim6"="" []
    "ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" []
    "NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-07-03 11:32]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{634BBAB7-3F60-4426-944F-A62B9007F67F}"= C:\WINDOWS\system32\tuvsrpm.dll [2007-11-04 13:12 36352]

    [HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
    "Userinit"="C:\\WINDOWS\\system32\\vvgeowbv.exe,C:\\WINDOWS\\system32\\userinit.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\kebfgsgk]
    kebfgsgk.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvsrpm]
    tuvsrpm.dll 2007-11-04 13:12 36352 C:\WINDOWS\system32\tuvsrpm.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winbfi32]
    winbfi32.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Authentication Packages"= msv1_0 C:\WINDOWS\system32\pmkjh.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CompuServe 7.0 Tray Icon.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\CompuServe 7.0 Tray Icon.lnk
    backup=C:\WINDOWS\pss\CompuServe 7.0 Tray Icon.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
    C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
    "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    "C:\Program Files\Messenger\msmsgs.exe" /background

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
    "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    "C:\Program Files\QuickTime\qttask.exe" -atboottime

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
    "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

    R0 Si3132r5;SiI-3132 SoftRaid 5 Controller;C:\WINDOWS\system32\DRIVERS\Si3132r5.sys
    R0 UGURU;UGURU;C:\WINDOWS\system32\drivers\uGuru.sys
    R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};\??\C:\Program Files\CyberLink\PowerDVD\000.fcl
    R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys
    S3 ALSysIO;ALSysIO;\??\C:\DOCUME~1\Jeff\LOCALS~1\Temp\ALSysIO.sys
    S3 Memctl;Memctl;\??\C:\Program Files\ABIT\FlashMenu\Memctl.sys
    S3 TCCrystalCpuInfo;TCCrystalCpuInfo;\??\C:\DOCUME~1\Jeff\LOCALS~1\Temp\TCCpuInfo.sys

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
    \Shell\AutoRun\command - D:\setup.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
    \Shell\AutoRun\command - F:\AUTORUN.EXE

    .
    **************************************************************************

    catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-11-06 20:26:28
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2007-11-06 20:26:52 - machine was rebooted
    C:\ComboFix-quarantined-files.txt ... 2007-06-19 11:42
    C:\ComboFix2.txt ... 2007-06-19 11:42
    C:\ComboFix3.txt ... 2007-06-18 23:36
    .
    --- E O F ---
     
  4. Punker1234

    Punker1234 Thread Starter

    Joined:
    May 6, 2006
    Messages:
    124
    Too big for one post.. so I threw the attachment at the bottom of the next page. Thanks again for the help.
     
  5. Punker1234

    Punker1234 Thread Starter

    Joined:
    May 6, 2006
    Messages:
    124
    Here ya go for super


    and then the hijack log

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:22:53 PM, on 11/6/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Electronic Arts\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe
    C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
    C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SkyTel.EXE
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Program Files\DU Meter\DUMeter.exe
    C:\Program Files\DAEMON Tools\daemon.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\Jeff\Desktop\HiJackThis.exe

    O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
    O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
    O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
    O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
    O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
    O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
    O2 - BHO: (no name) - {B42B4FF3-785E-4314-B7F7-65C743962FBB} - C:\WINDOWS\system32\pmkhh.dll (file missing)
    O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
    O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
    O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
    O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
    O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
    O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
    O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
    O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
    O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\JMRaidSetup.exe boot
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
    O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\AIM\aim.exe
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159777509576
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159777470951
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: kebfgsgk - kebfgsgk.dll (file missing)
    O20 - Winlogon Notify: winbfi32 - winbfi32.dll (file missing)
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PunkBuster (PnkBstrA) - Unknown owner - C:\Program Files\Electronic Arts\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
    O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
    O24 - Desktop Component 0: (no name) - C:\Program Files\Microsoft IntelliPoint\profsyrtym.html

    --
    End of file - 7810 bytes
     

    Attached Files:

  6. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Hi, Punker1234 :)

    Please insert your flash drives in the computer.
    • Copy the entire contents of the Code Box below to Notepad.
    • Name the file as CFScript.txt
    • Change the Save as Type to All Files
    • and Save it on the desktop
    Code:
    File::
    C:\WINDOWS\system32\mpcpcsfg.exe
    C:\WINDOWS\system32\cgsramdt.dll
    C:\WINDOWS\system32\vjqijkuk.dll
    C:\WINDOWS\system32\ymqydmbo.exe
    C:\WINDOWS\system32\fykuiifj.dll
    C:\WINDOWS\system32\wwgmimcv.dll
    C:\WINDOWS\system32\gxgvgcqp.dll
    C:\WINDOWS\system32\quofmfhx.exe
    C:\WINDOWS\system32\futpgmvu.dll
    C:\WINDOWS\system32\ace16win.dll
    C:\WINDOWS\fkwggshm.exe
    C:\WINDOWS\system32\stfv.bin
    C:\WINDOWS\system32\acespy
    C:\WINDOWS\acdt-pid72.exe
    C:\WINDOWS\system32\aivskurq.dll
    C:\WINDOWS\system32\dpqaqlqx.bin
    F:\AUTORUN.EXE
    C:\WINDOWS\system32\tuvsrpm.dll
    C:\WINDOWS\mrofinu77.exe
    C:\WINDOWS\system32\kebfgsgk.dll
    C:\WINDOWS\system32\winbfi32.dll
    
    Folder::
    C:\WINDOWS\system32\Mz08r
    C:\WINDOWS\SmVmZiBMb21iYXJkaQ
    C:\temp\mZOr
    C:\Program Files\ABIT
    
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000000-d9e3-4bc6-a0bd-3d0ca4be5271}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000012-890e-4aac-afd9-eff6954a34dd}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06dfedaa-6196-11d5-bfc8-00508b4a487d}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0A6CEAD9-AEE3-44CA-8CE9-7376006447C6}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0A9F6EE9-EB99-4D4F-805E-A7F84F1880A6}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1adbcce8-cf84-441e-9b38-afc7a19c06a4}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3E862745-1DFE-498A-896F-EA620817210C}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51641ef3-8a7a-4d84-8659-b0911e947cc8}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53C330D6-A4AB-419B-B45D-FD4411C1FEF4}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{634BBAB7-3F60-4426-944F-A62B9007F67F}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{669695bc-a811-4a9d-8cdf-ba8c795f261e}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{944864a5-3916-46e2-96a9-a2e84f3f1208}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A6E432B4-D4C2-43B3-BF55-C364F8F7362A}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ad5c108d-fbd0-4ed1-bf62-7932c7d7f52f}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b8875bfe-b021-11d4-bfa8-00508b8e9bd3}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ca1d1b05-9c66-11d5-a009-000103c1e50b}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell ExecuteHooks]
    "{634BBAB7-3F60-4426-944F-A62B9007F67F}"=-
    [HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
    "Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\kebfgsgk]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvsrpm]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winbfi32]
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F\Shell]
    
    [​IMG]

    Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report along with a Hijackthis log.
     
  7. Punker1234

    Punker1234 Thread Starter

    Joined:
    May 6, 2006
    Messages:
    124
    Hello. I ran combofix and the attach should be below. and Hijack of course. Thanks.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 5:50:01 PM, on 11/7/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Electronic Arts\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe
    C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
    C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SkyTel.EXE
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Program Files\DU Meter\DUMeter.exe
    C:\Program Files\DAEMON Tools\daemon.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\BitTornado\btdownloadgui.exe
    C:\Program Files\BitTornado\btdownloadgui.exe
    C:\Documents and Settings\Jeff\Desktop\HiJackThis.exe

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: (no name) - {B42B4FF3-785E-4314-B7F7-65C743962FBB} - C:\WINDOWS\system32\pmkhh.dll (file missing)
    O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
    O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
    O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
    O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\JMRaidSetup.exe boot
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
    O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\AIM\aim.exe
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159777509576
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159777470951
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PunkBuster (PnkBstrA) - Unknown owner - C:\Program Files\Electronic Arts\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
    O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
    O24 - Desktop Component 0: (no name) - C:\Program Files\Microsoft IntelliPoint\profsyrtym.html

    --
    End of file - 6816 bytes
     

    Attached Files:

    • log.txt
      File size:
      47.8 KB
      Views:
      8
  8. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Hi, Punker1234 :)

    Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

    O2 - BHO: (no name) - {B42B4FF3-785E-4314-B7F7-65C743962FBB} - C:\WINDOWS\system32\pmkhh.dll (file missing)

    Now close all windows and browsers, other than HiJackThis, then click Fix Checked.

    Close Hijackthis.

    The rest looks clear. How is it doing?
     
  9. Punker1234

    Punker1234 Thread Starter

    Joined:
    May 6, 2006
    Messages:
    124
    Okay, I ran Hijackthis and thats removed. Everything seems fine, there doesn't seem to be anything happening. The only thing I see is that my background is still changed to that black image with my IP address. Should I just try and change that manually?
     
  10. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Hi, Punker1234 :)

    Go to the Control Panel > Display. Click on the "Desktop" tab then click the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" Delete everything except for "My Current Home Page". Click OK then Apply and OK.

    Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. (If present)

    O24 - Desktop Component 0: (no name) - C:\Program Files\Microsoft IntelliPoint\profsyrtym.html


    Now close all windows and browsers, other than HiJackThis, then click Fix Checked.

    Close Hijackthis.

    Please then reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, the Advanced Options Menu should appear;
    • Select the first option, to run Windows in Safe Mode, then press Enter.
    • Choose your usual account.
    .
    Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):

    C:\Program Files\Microsoft IntelliPoint\profsyrtym.html

    Restart the computer and test.
     
  11. Punker1234

    Punker1234 Thread Starter

    Joined:
    May 6, 2006
    Messages:
    124
    All looks, well. My desktop is still using that background, but I think the virus or what not just changed the default image. I don't see it in Hijackthis but I ran it again for you. Is there a free virus protector that you can right click a file to scan for a virus? Thanks!

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:40:26 PM, on 11/8/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Electronic Arts\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe
    C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
    C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SkyTel.EXE
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Program Files\DU Meter\DUMeter.exe
    C:\Program Files\DAEMON Tools\daemon.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Jeff\Desktop\HiJackThis.exe

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
    O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
    O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
    O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\JMRaidSetup.exe boot
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
    O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\AIM\aim.exe
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159777509576
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159777470951
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PunkBuster (PnkBstrA) - Unknown owner - C:\Program Files\Electronic Arts\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
    O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

    --
    End of file - 6550 bytes
     
  12. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Hi, Punker1234 :)

    It ain't over but until the fat lady sings.

    [​IMG]Download Deckard's System Scanner (DSS) from here or here to your Desktop. Note: You must be logged onto an account with administrator privileges.
    1. Close all applications and windows.
    2. Double-click on dss.exe to run it, and follow the prompts.
    3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
    4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of both, the main.txt and the extra.txt in your next reply.
    If the files are too long, attach them to a reply:
    1. Scroll down and click the [Manage Attachments] button
    2. Browse to the following folder:
      • C:\Deckard\System Scanner
    3. Click Upload to upload these files one by one
    4. Submit your reply
     
  13. Punker1234

    Punker1234 Thread Starter

    Joined:
    May 6, 2006
    Messages:
    124
    Here ya go, both files for you. I appreciate the help, honestly! Its a bummer having a machine violated with this stuff. Do you know of a good free virus scanner or do the reasonable ones generally cost money?
     

    Attached Files:

  14. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Hi, Punker1234 :)

    Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

    J2SE Runtime Environment 5.0 Update 10
    J2SE Runtime Environment 5.0 Update 11
    J2SE Runtime Environment 5.0 Update 8
    J2SE Runtime Environment 5.0 Update 9
    Java 2 Runtime Environment Standard Edition v1.3.1_02
    Java(TM) 6 Update 2
    Java(TM) SE Runtime Environment 6 Update 1


    Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

    C:\WINDOWS\system32\acespy

    I see no other problems. Are you still experiencing the background problem?
     
  15. Punker1234

    Punker1234 Thread Starter

    Joined:
    May 6, 2006
    Messages:
    124
    Deleted those, I haven't done a restart yet, but its funny. When I restart or shut down my computer, the background flashes pretty quickly and I can see the original background image i had for a split second. Everything seems perfectly fine, no slowdown or pop ups on the system.

    Maybe I missed something on the other programs like combofix or something?
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/648753

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice