# Explorer.exe Disappearing



## castman10 (Aug 11, 2008)

I think my computer somehow got infected w/spyware and occasionally, explorer.exe will stop running. Random ads also are appearing randomly when I visit pages like gmail. I've tried running ad-aware, but it hasn't found the problem. Any ideas?


----------



## castman10 (Aug 11, 2008)

Actually, for some reason, the ads only appear when I'm using firefox. I can avoid them by using avant browser.


----------



## evilfantasy (Aug 11, 2008)

Download and rename  TrendMicro HijackThis.exe (HJT)


 Double-click on HJTInstall.
 Click on the *Install* button.
 It will automatically place HJT in *C:\Program Files\TrendMicro\HijackThis\HijackThis.exe*.
 Upon install, HijackThis should open for you.


Click on the *Do a system scan and save a log file* button
 HijackThis will scan and then a log will open in notepad.
* Copy and then paste the entire contents of the log in your post*.
* Do not* have HijackThis fix anything yet. Most of what it finds will be harmless or even required.


----------



## castman10 (Aug 11, 2008)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:28:38 PM, on 8/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 SP2 (7.00.6000.16441)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Arena\Arena.exe
C:\Program Files\ChessBase\Engines\UCI\TogaII14-5c-1cpu.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://selectsmart.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [08a7e8b2] rundll32.exe "C:\WINDOWS\system32\mlpyenol.dll",b
O4 - HKLM\..\Run: [BM0b94db2e] Rundll32.exe "C:\WINDOWS\system32\fwcpnxnl.dll",s
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.stumbleupon.com
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\SCRABBLE\Images\stg_drm.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1203571496187
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game12.zylom.com/activex/zylomgamesplayer.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\SCRABBLE\Images\armhelper.ocx
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SRS Labs License Service - SRS Labs - C:\Program Files\Common Files\SRS Labs Shared\Service\srslabslicenseservice.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8073 bytes


----------



## evilfantasy (Aug 11, 2008)

Download Malwarebytes' Anti-Malware (MBAM)


Double-click *mbam-setup.exe* and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to the following:
 *Update Malwarebytes' Anti-Malware*
 *Launch Malwarebytes' Anti-Malware*
 
Then click *Finish*.
If an update is found, it will download and install the latest version.
Once the program has loaded, select *Perform quick scan*, then click *Scan*.
When the scan is complete, click *OK*, then *Show Results* to view the results.
Be sure that everything is checked, and click *Remove Selected*.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
*Copy and Paste the entire report in your next reply.*
 *Extra Note:* _If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately._

----------

You have *Viewpoint* installed.

Viewpoint Media Player/Manager/Toolbar is considered as *foistware instead of malware* since it is installed without users approval but doesn't spy or do anything "bad".

More information:

ViewMgr.exe - Useless
Viewpoint To Track Browsing, Serve Ads
Viewpoint to Plunge Into Adware
 It is suggested to remove the program now.
Go to *Start > Settings > Control Panel > Add or Remove Programs* and remove the following programs if present.

* Viewpoint*
* Viewpoint Manager*
* Viewpoint Media Player*
* Viewpoint Toolbar*
* Viewpoint Experience Technology*
----------

Now run a new HijackThis scan and post that log along with the MBAM log.

Also let me know how things are now.


----------



## castman10 (Aug 12, 2008)

Malwarebytes' Anti-Malware 1.24
Database version: 1042
Windows 5.1.2600 Service Pack 2

6:09:19 PM 8/11/2008
mbam-log-8-11-2008 (18-09-19).txt

Scan type: Quick Scan
Objects scanned: 48758
Time elapsed: 5 minute(s), 58 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 8
Registry Keys Infected: 22
Registry Values Infected: 10
Registry Data Items Infected: 2
Folders Infected: 26
Files Infected: 56

Memory Processes Infected:
C:\Program Files\sprof\sprof.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\awtrOfCV.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\iyfgktkp.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\mlpyenol.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\hgGaaWqo.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\suarca.dll (Trojan.Vundo) -> Delete on reboot.
C:\Program Files\iSecurity\v20\iSecurity.cpl (Rouge.ISecurity) -> Delete on reboot.
C:\WINDOWS\Resources\VolumeSetup.dll (Trojan.Clicker) -> Delete on reboot.
C:\WINDOWS\system32\iSecurity.cpl (Rouge.ISecurity) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6b0e2793-4b64-4131-b50d-cdaa01106aee} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6b0e2793-4b64-4131-b50d-cdaa01106aee} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{da152821-1317-457b-aba0-573178408f06} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{da152821-1317-457b-aba0-573178408f06} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{10990d5b-d686-4cd2-81eb-c7540450a1ba} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10990d5b-d686-4cd2-81eb-c7540450a1ba} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\hggaawqo (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\isecurity.mgr (Rouge.ISecurity) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\isecurity.mgr.1 (Rouge.ISecurity) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhct2lj0eea5 (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\rhct2lj0eea5 (Rogue.Multiple) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{bc47bfa6-7b77-4c2a-bcef-5d78523ddc6f} (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\iSecurity (Rouge.ISecurity) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\08a7e8b2 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{10990d5b-d686-4cd2-81eb-c7540450a1ba} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\isecurity (Rouge.ISecurity) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows defend (Rouge.ISecurity) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sprof (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smrhct2lj0eea5 (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\prebootcheck (Trojan.Clicker) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iSecurity applet (Rouge.ISecurity) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bm0b94db2e (Trojan.Agent) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bm0b94db2e (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\awtrofcv -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\awtrofcv  -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\ISecurity (Rouge.ISecurity) -> Delete on reboot.
C:\Program Files\ISecurity\Antivirus 2009 (Rouge.ISecurity) -> Quarantined and deleted successfully.
C:\Program Files\ISecurity\Antivirus XP 2008 (Rouge.ISecurity) -> Quarantined and deleted successfully.
C:\Program Files\ISecurity\SystemDefender (Rouge.ISecurity) -> Quarantined and deleted successfully.
C:\Program Files\ISecurity\v20 (Rouge.ISecurity) -> Delete on reboot.
C:\Program Files\ISecurity\{829DAC63-1F27-41a9-846B-30536AD47135} (Rouge.ISecurity) -> Quarantined and deleted successfully.
C:\Program Files\ISecurity\{8BD8E8FA-92A5-4a5c-A044-FBF462517EB4} (Rouge.ISecurity) -> Quarantined and deleted successfully.
C:\Program Files\ISecurity\{8C67A1C3-2BAE-479c-997E-94BCE68762CB} (Rouge.ISecurity) -> Quarantined and deleted successfully.
C:\Program Files\ISecurity\{9DA536DD-32B1-4944-B34F-98A8E18CF2BA} (Rouge.ISecurity) -> Quarantined and deleted successfully.
C:\Program Files\ISecurity\{AE997BF5-8AF9-43c3-946B-2C29553E5141} (Rouge.ISecurity) -> Quarantined and deleted successfully.
C:\Program Files\ISecurity\{DB46333A-3CE6-42d8-87BF-6B6185640619} (Rouge.ISecurity) -> Quarantined and deleted successfully.
C:\Program Files\sprof (Trojan.Agent) -> Quarantined and deleted successfully.
C:\iSecurity (Rogue.ISecurity) -> Quarantined and deleted successfully.
C:\iSecurity\v20 (Rogue.ISecurity) -> Quarantined and deleted successfully.
C:\Program Files\rhct2lj0eea5 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Castman\Application Data\rhct2lj0eea5 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Castman\Application Data\rhct2lj0eea5\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Castman\Application Data\rhct2lj0eea5\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Castman\Application Data\rhct2lj0eea5\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Castman\Application Data\rhct2lj0eea5\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Castman\Application Data\rhct2lj0eea5\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Castman\Application Data\rhct2lj0eea5\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Castman\Application Data\rhct2lj0eea5\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Castman\Application Data\rhct2lj0eea5\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Castman\Application Data\rhct2lj0eea5\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Castman\Application Data\rhct2lj0eea5\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\suarca.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\awtrOfCV.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\VCfOrtwa.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\VCfOrtwa.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iyfgktkp.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\pktkgfyi.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mlpyenol.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\loneyplm.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hgGaaWqo.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\iiffFvWm.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cbXRLffC.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wipconml.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wletbmua.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\awtusqNh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uhwkifhb.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bpcqanej.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qoMcbbXr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lrhfaa.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ddcAtroo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\ISecurity\antivirusxp.bmp (Rouge.ISecurity) -> Quarantined and deleted successfully.
C:\Program Files\ISecurity\antivirusxp.ico (Rouge.ISecurity) -> Quarantined and deleted successfully.
C:\Program Files\ISecurity\antivirusxpi.bmp (Rouge.ISecurity) -> Quarantined and deleted successfully.
C:\Program Files\ISecurity\av2009.bmp (Rouge.ISecurity) -> Quarantined and deleted successfully.
C:\Program Files\ISecurity\av2009.ico (Rouge.ISecurity) -> Quarantined and deleted successfully.
C:\Program Files\ISecurity\av2009i.bmp (Rouge.ISecurity) -> Quarantined and deleted successfully.
C:\Program Files\ISecurity\iSecurity.dat (Rouge.ISecurity) -> Quarantined and deleted successfully.
C:\Program Files\ISecurity\iSecurity.html (Rouge.ISecurity) -> Quarantined and deleted successfully.
C:\Program Files\ISecurity\systemdefender.bmp (Rouge.ISecurity) -> Quarantined and deleted successfully.
C:\Program Files\ISecurity\systemdefender.ico (Rouge.ISecurity) -> Quarantined and deleted successfully.
C:\Program Files\ISecurity\systemdefenderi.bmp (Rouge.ISecurity) -> Quarantined and deleted successfully.
C:\Program Files\ISecurity\Thumbs.db (Rouge.ISecurity) -> Quarantined and deleted successfully.
C:\Program Files\ISecurity\Antivirus XP 2008\install.exe (Rouge.ISecurity) -> Quarantined and deleted successfully.
C:\Program Files\ISecurity\v20\iSecurity.cpl (Rouge.ISecurity) -> Delete on reboot.
C:\Program Files\ISecurity\{9DA536DD-32B1-4944-B34F-98A8E18CF2BA}\install.exe (Rouge.ISecurity) -> Quarantined and deleted successfully.
C:\Program Files\sprof\sprof.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\rhct2lj0eea5\database.dat (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhct2lj0eea5\license.txt (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhct2lj0eea5\MFC71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhct2lj0eea5\MFC71ENU.DLL (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhct2lj0eea5\msvcp71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhct2lj0eea5\msvcr71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhct2lj0eea5\rhct2lj0eea5.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhct2lj0eea5\rhct2lj0eea5.exe.local (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhct2lj0eea5\Uninstall.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Castman\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\WINDOWS\Resources\VolumeSetup.dll (Trojan.Clicker) -> Delete on reboot.
C:\WINDOWS\system32\iSecurity.cpl (Rouge.ISecurity) -> Delete on reboot.
C:\WINDOWS\system32\jepvjwyv.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\hbbcdwei.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM0b94db2e.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM0b94db2e.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Castman\Desktop\Antivirus 2009.lnk (Rogue.Antivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Castman\Desktop\Antivirus XP 2008.lnk (Rogue.Antivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Castman\Desktop\SystemDefender.lnk (Rogue.SystemDefender) -> Quarantined and deleted successfully.


I'll post the HiJackThis log later. I have to head out for a few hours.


----------



## evilfantasy (Aug 12, 2008)

No problem.

Things running better now?


----------



## castman10 (Aug 12, 2008)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:31:54 PM, on 8/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 SP2 (7.00.6000.16441)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Trend Micro\yousuckisecurity\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://selectsmart.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [tinuproxy] C:\Program Files
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.stumbleupon.com
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\SCRABBLE\Images\stg_drm.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1203571496187
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game12.zylom.com/activex/zylomgamesplayer.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\SCRABBLE\Images\armhelper.ocx
O20 - AppInit_DLLs: iSecurity.cpl
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SRS Labs License Service - SRS Labs - C:\Program Files\Common Files\SRS Labs Shared\Service\srslabslicenseservice.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 8212 bytes


As far as I can tell, things are running better. Thank you so much. I think the problem was some program called isecurity that somehow found its way on to my computer. I will post later if I have any problems.


----------



## castman10 (Aug 12, 2008)

Actually, for some reason, when I open firefox, I get this message.

Proxy Server Refused Connection

Firefox is configured to use a proxy server that is refusing connections.

The browser is configured to use a proxy server, but the proxy refused a connection.

    * Is the browser's proxy configuration correct? Check the settings and try again.
    * Does the proxy service allow connections from this network?
    * Still having trouble? Consult your network administrator or Internet provider for assistance.


I'm still able to access the internet if I use avant browser though. Any ideas?


----------



## evilfantasy (Aug 12, 2008)

Not sure on the message, do you use tinuproxy?

There are still some remenants left so we need to run another scan.

Open HijackThis and select *Do a system scan only*.

Place a check mark next to the following entries: (if there)


*O4 - HKCU\..\Run: [tinuproxy] C:\Program Files*
* O20 - AppInit_DLLs: iSecurity.cpl*
 *Important:* Close all windows except for HijackThis and then click *Fix checked*.

Exit HijackThis.

----------

Download ComboFix by sUBs from one of the below links. Be sure top save it to the *Desktop*.

Link #1
 Link #2

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting Combofix.

Temporarily *disable* your *antivirus*, and any *antispyware* real time protection _*before*_ performing a scan. Click  this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.

When finished ComboFix will produce a log for you.

Post the *ComboFix log* and a new *HijackThis log* in your next reply.

*Important:* Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.


----------



## castman10 (Aug 13, 2008)

ComboFix 08-08-12.01 - Castman 2008-08-12 22:24:09.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.638 [GMT -5:00]
Running from: C:\Documents and Settings\Castman\Desktop\ComboFix.exe
 * Created a new restore point

*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Judy\Application Data\macromedia\Flash Player\#SharedObjects\MJEQJHS5\interclick.com
C:\Documents and Settings\Judy\Application Data\macromedia\Flash Player\#SharedObjects\MJEQJHS5\interclick.com\ud.sol
C:\Documents and Settings\Judy\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Judy\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\337059
C:\WINDOWS\system32\337059\337059.dll
C:\WINDOWS\system32\config\systemprofile\Desktop\Antivirus 2009.lnk
C:\WINDOWS\system32\config\systemprofile\Desktop\Antivirus XP 2008.lnk
C:\WINDOWS\system32\config\systemprofile\Desktop\SystemDefender.lnk
C:\WINDOWS\system32\fwcpnxnl.dll
C:\WINDOWS\system32\loneyplm.tmp2
C:\WINDOWS\system32\ntnplmsk.dll

.
(((((((((((((((((((((((((   Files Created from 2008-07-13 to 2008-08-13  )))))))))))))))))))))))))))))))
.

2008-08-11 17:44 . 2008-08-11 17:44	<DIR>	d--------	C:\Documents and Settings\Castman\Application Data\Malwarebytes
2008-08-11 17:43 . 2008-08-11 17:44	<DIR>	d--------	C:\Program Files\Malwarebytes' Anti-Malware
2008-08-11 17:43 . 2008-08-11 17:43	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-11 17:43 . 2008-07-30 20:07	38,472	--a------	C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-11 17:43 . 2008-07-30 20:07	17,144	--a------	C:\WINDOWS\system32\drivers\mbam.sys
2008-08-11 17:05 . 2008-08-11 17:05	0	--a------	C:\WINDOWS\system32\FF.tmp
2008-08-11 16:57 . 2008-08-11 16:57	<DIR>	d--------	C:\Program Files\tinyproxy
2008-08-11 16:56 . 2008-08-11 16:56	138,752	--a------	C:\tmp47150311.dll
2008-08-11 16:28 . 2008-08-11 17:30	<DIR>	d--------	C:\Program Files\Trend Micro
2008-08-11 15:49 . 2008-08-11 15:49	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Apple
2008-08-10 16:57 . 2008-08-10 16:57	<DIR>	d--------	C:\Program Files\Common Files\Wise Installation Wizard
2008-08-09 18:03 . 2008-08-09 18:14	<DIR>	d--------	C:\Documents and Settings\Castman\Application Data\Uniblue
2008-07-28 15:56 . 2008-07-28 15:56	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-07-26 01:45 . 2008-07-26 01:45	<DIR>	d--------	C:\Documents and Settings\Castman\Application Data\Backyard Baseball 2007
2008-07-21 18:35 . 2008-07-21 18:36	<DIR>	d--------	C:\Program Files\Common Files\Logishrd
2008-07-21 18:35 . 2008-05-02 02:38	301,656	--a------	C:\WINDOWS\system32\BtCoreIf.dll
2008-07-14 22:27 . 2008-07-26 01:43	707	--a------	C:\WINDOWS\hegames.ini

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-13 03:28	---------	d-----w	C:\Program Files\Symantec AntiVirus
2008-08-13 02:41	---------	d---a-w	C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-12 02:37	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Google Updater
2008-08-11 22:35	---------	d-----w	C:\Program Files\Viewpoint
2008-08-11 22:35	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-08-11 20:49	---------	d-----w	C:\Program Files\Apple Software Update
2008-08-10 21:51	---------	d-----w	C:\Program Files\Common Files\Symantec Shared
2008-08-10 21:48	---------	d-----w	C:\Program Files\Wesnoth
2008-08-10 21:48	---------	d-----w	C:\Documents and Settings\Castman\Application Data\uTorrent
2008-08-10 21:48	---------	d-----w	C:\Documents and Settings\Castman\Application Data\DNA
2008-08-10 03:35	---------	d-----w	C:\Program Files\PeerGuardian2
2008-07-31 05:53	---------	d-----w	C:\Program Files\Lavasoft
2008-07-31 05:52	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-28 20:56	---------	d-----w	C:\Program Files\QuickTime
2008-07-21 23:36	---------	d-----w	C:\Program Files\Common Files\Logitech
2008-07-21 23:35	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2008-07-14 04:24	---------	d-----w	C:\Program Files\Battle for Wesnoth 1.5
2008-07-13 08:03	---------	d-----w	C:\Program Files\Drug Wars
2008-07-11 20:12	---------	d-----w	C:\Program Files\Java
2008-07-11 04:22	---------	d-----w	C:\Program Files\Common Files\Stardock
2008-07-11 04:22	---------	d-----w	C:\Documents and Settings\Castman\Application Data\My Battle for Middle-earth Files
2008-07-10 06:33	---------	d-----w	C:\Program Files\ACW
2008-07-10 00:06	---------	d-----w	C:\Program Files\Stardock
2008-07-04 04:30	---------	d-----w	C:\Program Files\Avant Browser
2008-06-20 17:41	245,248	----a-w	C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41	148,992	----a-w	C:\WINDOWS\system32\dnsapi(2).dll
2008-06-20 10:45	360,320	----a-w	C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44	138,368	----a-w	C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52	225,920	----a-w	C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-18 04:34	---------	d-----w	C:\Documents and Settings\Castman\Application Data\BitTorrent
2008-06-18 04:31	---------	d-----w	C:\Program Files\uTorrent
2008-06-18 04:29	---------	d-----w	C:\Program Files\DNA
2008-06-16 23:48	---------	d-----w	C:\Documents and Settings\Castman\Application Data\OpenOffice.org2
2008-06-16 05:55	---------	d-----w	C:\Program Files\DivX
2008-06-13 13:10	272,128	------w	C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 05:51	---------	d-----w	C:\Program Files\Yahoo!
2008-06-13 05:51	---------	d-----w	C:\Program Files\Common Files\Scanner
2008-06-13 05:50	---------	d-----w	C:\Program Files\Real
2008-06-13 05:50	---------	d-----w	C:\Documents and Settings\All Users\Application Data\WinZip
2008-05-30 23:22	823,296	----a-w	C:\WINDOWS\system32\divx_xx0c.dll
2008-05-30 23:22	823,296	----a-w	C:\WINDOWS\system32\divx_xx07.dll
2008-05-30 23:22	815,104	----a-w	C:\WINDOWS\system32\divx_xx0a.dll
2008-05-30 23:22	802,816	----a-w	C:\WINDOWS\system32\divx_xx11.dll
2008-05-30 23:22	683,520	----a-w	C:\WINDOWS\system32\DivX.dll
2008-05-30 23:22	593,920	----a-w	C:\WINDOWS\system32\dpuGUI11.dll
2008-05-30 23:22	57,344	----a-w	C:\WINDOWS\system32\dpv11.dll
2008-05-30 23:22	53,248	-c--a-w	C:\WINDOWS\system32\dpuGUI10.dll
2008-05-30 23:22	344,064	-c--a-w	C:\WINDOWS\system32\dpus11.dll
2008-05-30 23:22	294,912	-c--a-w	C:\WINDOWS\system32\dpu10.dll
2008-05-30 23:22	294,912	----a-w	C:\WINDOWS\system32\dpu11.dll
2008-05-22 22:22	524,288	----a-w	C:\WINDOWS\system32\DivXsm.exe
2008-05-22 22:22	3,596,288	----a-w	C:\WINDOWS\system32\qt-dx331.dll
2008-05-22 22:20	200,704	----a-w	C:\WINDOWS\system32\ssldivx.dll
2008-05-22 22:20	1,044,480	----a-w	C:\WINDOWS\system32\libdivx.dll
2008-05-22 22:19	81,920	----a-w	C:\WINDOWS\system32\dpl100.dll
2008-05-22 22:19	196,608	-c--a-w	C:\WINDOWS\system32\dtu100.dll
2008-05-22 22:19	161,096	----a-w	C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-05-22 22:18	12,288	-c--a-w	C:\WINDOWS\system32\DivXWMPExtType.dll
2008-05-16 16:58	12,632	----a-w	C:\WINDOWS\system32\lsdelete.exe
2006-12-24 22:25	774,144	-c--a-w	C:\Program Files\RngInterstitial.dll
2006-10-26 01:01	13,527,745	-c--a-w	C:\Program Files\044_3c940.zip
2006-10-26 00:24	9,091,574	-c--a-w	C:\Program Files\046_3c940.zip
2006-11-03 04:40	80	--sha-r	C:\WINDOWS\system32\4A7208F5BE.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 19:26 52896]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-29 00:43 8466432]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-29 00:43 81920]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-06-06 16:13 185896]
"nwiz"="nwiz.exe" [2007-06-29 00:43 1626112 C:\WINDOWS\system32\nwiz.exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2008-02-25 20:23 443968]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-09-09 21:54:23 113664]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-07-21 18:35:52 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 02:42 72208 c:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-06-06 16:13 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"C:\\Program Files\\Avant Browser\\avant.exe"=
"C:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"C:\\Program Files\\DC++\\DCPlusPlus.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Wolfram Research\\Mathematica\\6.0\\Mathematica.exe"=
"C:\\Program Files\\Wolfram Research\\Mathematica\\6.0\\MathKernel.exe"=
"C:\\Program Files\\Wolfram Research\\Mathematica\\6.0\\math.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\ApexDC++\\ApexDC.exe"=
"C:\\Program Files\\EA SPORTS\\Madden NFL 2005\\updater.exe"=
"C:\\Program Files\\EA GAMES\\The Battle for Middle-earth (tm)\\game.dat"=
"C:\\Program Files\\EA GAMES\\The Battle for Middle-earth (tm)\\patchget.dat"=
"C:\\Program Files\\Battle for Wesnoth 1.5\\wesnothd.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\tinyproxy\\tinyproxy.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"80:TCP"= 80:TCP:TINYPROXY
"53:TCP"= 53:TCP:TINYPROXY

S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2008-08-02 20:11]

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Castman\Application Data\Mozilla\Firefox\Profiles\qwje134p.default\
FF -: plugin - C:\Program Files\DNA\plugins\npbtdna.dll
FF -: plugin - C:\Program Files\Google\Google Updater\2.2.969.23408\npCIDetect11.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npbittorrent.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPTURNMED.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npyaxmpb.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-12 22:28:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-12 22:32:02
ComboFix-quarantined-files.txt  2008-08-13 03:31:54

Pre-Run: 108,173,492,224 bytes free
Post-Run: 108,268,224,512 bytes free

198	--- E O F ---	2008-07-12 23:52:00


----------



## castman10 (Aug 13, 2008)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:37:17 PM, on 8/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 SP2 (7.00.6000.16441)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Avant Browser\avant.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\yousuckisecurity\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://selectsmart.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.stumbleupon.com
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\SCRABBLE\Images\stg_drm.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1203571496187
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game12.zylom.com/activex/zylomgamesplayer.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\SCRABBLE\Images\armhelper.ocx
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SRS Labs License Service - SRS Labs - C:\Program Files\Common Files\SRS Labs Shared\Service\srslabslicenseservice.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 8390 bytes


----------



## castman10 (Aug 13, 2008)

As far as I know, I do not use tinuproxy.


----------



## evilfantasy (Aug 13, 2008)

*Scan Suspicious File(s)*

Use the  VirusTotal.com - Multi engine on-line virus scanner


Copy the file path in the below Code box:


```
C:\tmp47150311.dll
```

At the upload site, click once inside the window next to *Browse*.
Press *Ctrl+V* on the keyboard (both at the same time) to paste the file path into the window.
Next click *Send File*
Your file will possibly be entered into a queue which normally takes less than a minute to clear.

This will perform a scan across multiple different virus scanning engines.
*Important:* Wait for all of the scanning engines to complete.
*Copy and then Paste the link to the results in the next reply*.


Also let me know how things are now.


----------



## castman10 (Aug 13, 2008)

http://www.virustotal.com/analisis/672a5ca501295d9244f56b4858aaf8ce

Right now, I think my computer has been stable. The only problem I have is that I can't use firefox.


----------



## evilfantasy (Aug 13, 2008)

Download OTMoveIt2 by OldTimer

*Save* it to your *desktop*.
 *Note:* If you are running on Vista, right-click on OTMoveIt2.exe and choose *Run As Administrator*.


Double-click *OTMoveIt2.exe* to run it.
Copy the lines in the codebox below.


```
[kill explorer]
C:\WINDOWS\system32\FF.tmp
C:\tmp47150311.dll
EmptyTemp
[start explorer]
```

 Return to OTMoveIt2, right click in the *Paste List of Files/Folders to Move* window (under the yellow bar) and choose *Paste*


Click the red *Moveit!* button.
*Copy everything in the Results window (under the green bar) and paste it in your next reply.*
Close *OTMoveIt2*


----------



## evilfantasy (Aug 13, 2008)

Also, are you using a proxy server for IE but not for Firefox?


----------



## castman10 (Aug 13, 2008)

And actually, I just fixed that problem. I just needed to go to options, advance, network, connection settings, and set the proxy to auto-detect.


----------



## evilfantasy (Aug 13, 2008)

How is OTMoveIt2 coming along?


----------



## castman10 (Aug 13, 2008)

Explorer killed successfully
C:\WINDOWS\system32\FF.tmp moved successfully.
DllUnregisterServer procedure not found in C:\tmp47150311.dll
C:\tmp47150311.dll NOT unregistered.
C:\tmp47150311.dll moved successfully.
< EmptyTemp >
File delete failed. C:\DOCUME~1\Castman\LOCALS~1\Temp\etilqs_cdGLFnCaFQnpsp9JhIwl scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_80.dat scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08132008_005714

Files moved on Reboot...
File C:\DOCUME~1\Castman\LOCALS~1\Temp\etilqs_cdGLFnCaFQnpsp9JhIwl not found!
C:\WINDOWS\temp\Perflib_Perfdata_80.dat moved successfully.


----------



## evilfantasy (Aug 13, 2008)

Click *START* then *RUN*
 Now type *Combofix /u* in the runbox
 Make sure there's a space between Combofix and /u
 Then hit *Enter*.
 *The above procedure will:*

Delete:
ComboFix and its associated files and folders.
 VundoFix backups, if present
 The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
 
 Reset the clock settings.
 Hide file extensions, if required.
 Hide System/Hidden files, if required.
 Set a new, clean Restore Point.
 ----------

Use the  Kaspersky Online Scanner

*In Microsoft Windows Vista*, you must open the Web browser using the *Run as Administrator* command. From the Desktop right click the icon and choose Run as Administrator.

Click on *SCAN NOW*
Click on the *Accept* button and install any components it needs.


The program will install and then begin downloading the latest definition files.
After the files have been downloaded on the left side of the page in the *Scan* section select *My Computer*.
This will start the program and scan your system.
The scan will take a while, so be patient and let it run.
Once the scan is complete, click on *View scan report*
Now, click on the *Save Report as* button.
In *Save as type*: click the drop arrow and select: *Text file [*.txt]*
Then, click: *Save*
Save the file to your desktop.

Post the Kaspersky log in your next reply.

*Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.*


----------



## castman10 (Aug 14, 2008)

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
 Wednesday, August 13, 2008
 Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
 Kaspersky Online Scanner 7 version: 7.0.25.0
 Program database last update: Wednesday, August 13, 2008 22:07:25
 Records in database: 1090592
--------------------------------------------------------------------------------

Scan settings:
	Scan using the following database: extended
	Scan archives: yes
	Scan mail databases: yes

Scan area - My Computer:
	A:\
	C:\

Scan statistics:
	Files scanned: 142825
	Threat name: 3
	Infected objects: 4
	Suspicious objects: 0
	Duration of the scan: 02:33:43


File name / Threat name / Threats count
C:\Program Files\2Wire\sst\VNC\MotVNC.exe	Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b	2
C:\Program Files\Mozilla Firefox\keygen.exe	Infected: Trojan-Downloader.Win32.FraudLoad.vaxk	1
C:\WINDOWS\Downloaded Program Files\popcaploader.dll	Infected: not-a-virusownloader.Win32.PopCap.b	1

The selected area was scanned.


Should I remove these files?


----------



## evilfantasy (Aug 14, 2008)

C:\Program Files\2Wire\sst\VNC\MotVNC.exe <- Do you have a remote connection for this computer?


----------



## castman10 (Aug 15, 2008)

I'm not entirely sure what you mean by remote connection. I have a DSL connection through a 2wire modem. Not sure if this answers your question.


----------



## evilfantasy (Aug 15, 2008)

Double-click *OTMoveIt2.exe* to run it.
Copy the lines in the codebox below.


```
[kill explorer]
C:\Program Files\2Wire\sst\VNC\MotVNC.exe
C:\Program Files\Mozilla Firefox\keygen.exe
C:\WINDOWS\Downloaded Program Files\popcaploader.dl
EmptyTemp
[start explorer]
```

 Return to OTMoveIt2, right click in the *Paste List of Files/Folders to Move* window (under the yellow bar) and choose *Paste*

Click the red *Moveit!* button.
*Copy everything in the Results window (under the green bar) and paste it in your next reply.*
Close *OTMoveIt2*


----------



## castman10 (Aug 16, 2008)

Explorer killed successfully
C:\Program Files\2Wire\sst\VNC\MotVNC.exe moved successfully.
C:\Program Files\Mozilla Firefox\keygen.exe moved successfully.
File/Folder C:\WINDOWS\Downloaded Program Files\popcaploader.dl not found.
< EmptyTemp >
File delete failed. C:\DOCUME~1\Castman\LOCALS~1\Temp\etilqs_VXQp8RcStG7ct1dQQxZg scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Castman\LOCALS~1\Temp\hsperfdata_Castman\2368 scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08162008_002103


----------



## evilfantasy (Aug 16, 2008)

Looks good. Sorry I forgot to ask for another HijackThis log so could you please run a new scan and post the log.

How is everything now?


----------



## castman10 (Aug 16, 2008)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:16:22 PM, on 8/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 SP2 (7.00.6000.16441)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\vptray.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\yousuckisecurity\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://selectsmart.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.stumbleupon.com
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\SCRABBLE\Images\stg_drm.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1203571496187
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game12.zylom.com/activex/zylomgamesplayer.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\SCRABBLE\Images\armhelper.ocx
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SRS Labs License Service - SRS Labs - C:\Program Files\Common Files\SRS Labs Shared\Service\srslabslicenseservice.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 8087 bytes


Everything seems to be stable right now.


----------



## evilfantasy (Aug 16, 2008)

Looks good.

1. Double click *OTMoveIt2.exe* to launch it.
*Vista users right click and choose Run As Administrator*
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click *YES* at the next prompt (list downloaded, Do you want to begin cleanup process?)
5. Once complete exit out of OTMoveIt2

----------

*Next: *Set a New Restore Point to prevent possible reinfection from an old one.

Please go to: *Start -> All Programs -> Accessories -> System Tools -> System Restore -> System Restore Settings*
Click to add a check mark beside *Turn off System Restore* and click *Apply*
When you are warned that all existing Restore Points will be deleted, click *Yes* to continue and wait a few moments to let System Restore clear.
Uncheck "*Turn off System Restore*"
Click "*Apply*," and then click "*OK*".

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide or Windows Vista System Restore Guide 

----------

*Keep Windows updated!*

*Important:* You need to update Windows and Internet Explorer regularly to protect your computer from the malware and other security threats that are on the Internet. Go to Microsoft Windows Update and get all critical security updates. (you will need to use Internet Explorer to do this)

*Microsoft Office Update*

If you are running any Microsoft Office version go to the Office Update site and make sure you have at least all the critical updates installed.

Please either enable Automatic Updates under *Start > Control Panel > Automatic Updates*, or get into the habit of checking for Windows updates regularly.

*Update Non-Microsoft Programs*

Use the  Secunia Software Inspector to check for out of date software.
Click *Start Now*
Check the box next to *Enable thorough system inspection.*
Click *Start*
Allow the scan to finish and scroll down to see if any updates are needed.
Update anything listed.


Learn more about how to protect yourself while on the Internet from the following links. So how did I get infected in the first place? by Tony Klien.


----------



## castman10 (Aug 17, 2008)

Thank you so much. I don't know what I would've done w/o you.


----------



## evilfantasy (Aug 17, 2008)

No problem.

Safe surfing.....


----------

