# please help (trojan)



## SAD_DC

ok well I dont know who was on this computer but when I get on and try to open a folder I get this critical error message 
"Attention, (user)! Some Dangerous viruses detected in your system. Windows Vista (TM) files corrupted. This may lead to the destruction of important files in C:\Windows. Download protection software now!

Click OK to download the antispyware. (Recommended)"

Please help Ive tried runing ad aware, Spybot, Cclean and spyware doctor and its still here...

I really would appreciate it if someone took the time to help me out...

Thanks alot.


----------



## Respital

Hello, please download and post a log with *HiJackThis*.

*Click here* to download *HJTsetup.exe*
Save HJTsetup.exe to your desktop.
Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click *Next* in the setup dialogue boxes until you get to the *Select Additional Tasks* dialogue.
Put a check by *Create a desktop icon* then click *Next* again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click *Finish* and it will launch Hijack This.
Click on the *Do a system scan and save a log file* button. It will scan and then ask you to save the log.
Click *Save* to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
*DO NOT* have Hijack This fix anything yet. Most of what it finds will be harmless or even required.


----------



## dopester-2k8

You need to find out if the antivirus program is saying that the vista files are corrupted.
If it isn't then the message is the virus, i've had this problem before and i used system restore to fix the problem.
Go to the date when then message popped up and restore it to that date.

Tell me the progress


----------



## seecor

Whatever You Do, Dont download The anti virus its asking you to 
This is Usally another virus. 

And To Backup What Dopester Said  
Is it the Pop up that says Theres an error Or Your anti virus ? ?  ?


----------



## cohen

dopester-2k8 said:


> You need to find out if the antivirus program is saying that the vista files are corrupted.
> If it isn't then the message is the virus, i've had this problem before and i used system restore to fix the problem.
> Go to the date when then message popped up and restore it to that date.
> 
> Tell me the progress





seecor said:


> Whatever You Do, Dont download The anti virus its asking you to
> This is Usally another virus.
> 
> And To Backup What Dopester Said
> Is it the Pop up that says Theres an error Or Your anti virus ? ?  ?




Guys look, as soon as we get the hijackthis log we can figure these things out, we don't need your help really, leave it to use other guys who know a little more about these sort of things in this area of the forum.


----------



## SAD_DC

ok. sorry it took so long to get back I was away. anyways I did what you said respital and heres the log. Im pretty sure the pop up is the virus but thats my idea. lol It just doesent look like a legit pop up...oh well....

Thanks Alot guys.....









Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:11:07, on 7/15/2008
Platform: Windows Vista  (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Windows\soundman.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\ScanSoft\OmniPageSE4\OpWareSE4.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\wermgr.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IESiteBlocker.NavFilter  - {1AB6932F-92FE-42E6-870C-544AE458EA78} - C:\Windows\system32\nvf.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Microsoft Corp Updates] wupdates.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Windows\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\awtRkLCR.dll,#1
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\RunServices: [Microsoft Corp Updates] wupdates.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\AMINEL~1\AppData\Local\Temp\mlJAqnMC.dll,#1
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\AMINEL~1\AppData\Local\Temp\xxyyxuvU.dll,c
O4 - HKCU\..\Run: [BMf76466eb] Rundll32.exe "C:\Users\AMINEL~1\AppData\Local\Temp\ojasynkf.dll",s
O4 - HKCU\..\Run: [f4575577] rundll32.exe "C:\Users\AMINEL~1\AppData\Local\Temp\ihbslpds.dll",b
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix: 
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10145 bytes


----------



## cohen

Thankyou, Pls do the following:

*Download and Run ComboFix*
*If you already have Combofix, please delete this copy and download it again as it's being updated regularly.*

*Download this file* from one of the three below listed places :

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Then double click *combofix.exe* & follow the prompts.
When finished, it shall produce *a log* for you. *Post that log* in your next reply
*Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall*

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open *Task Manager* then *Processes* tab (press ctrl, alt and del at the same time) and end any processes of *findstr, find, sed or swreg*, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Then post a fresh Hijackthis log.


----------



## SAD_DC

here you go hijackthis comming next




ComboFix 08-07-13.14 - Amin Elmesquine 2008-07-15  2:58:42.1 - NTFSx86
Microsoft® Windows Vista™ Ultimate   6.0.6000.0.1252.1.1033.18.1056 [GMT -5:00]
Running from: C:\Users\Amin Elmesquine\Desktop\ComboFix.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat
C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat
C:\Windows\system32\awtRkLCR.dll
C:\Windows\system32\efcdbcax.dll
C:\Windows\system32\tuvWmlKA.dll
C:\Windows\system32\urQijHaA.dll

----- BITS: Possible infected sites -----

hxxp://theinstalls.com
hxxp://liveupdatesnet.com
.
(((((((((((((((((((((((((   Files Created from 2008-06-15 to 2008-07-15  )))))))))))))))))))))))))))))))
.

2008-07-15 01:10 . 2008-07-15 01:10	<DIR>	d--------	C:\Program Files\Trend Micro
2008-07-11 11:36 . 2008-07-11 11:36	<DIR>	d--------	C:\Users\Amin Elmeqsquine\AppData\Roaming\PC Tools
2008-07-11 11:36 . 2008-07-14 21:16	<DIR>	d-a------	C:\Users\All Users\TEMP
2008-07-11 11:36 . 2008-07-14 21:16	<DIR>	d-a------	C:\ProgramData\TEMP
2008-07-11 11:36 . 2008-07-11 10:16	<DIR>	d--------	C:\Program Files\Spyware Doctor
2008-07-11 11:36 . 2005-09-23 07:29	626,688	--a------	C:\Windows\System32\msvcr80.dll
2008-07-11 11:36 . 2007-10-04 17:10	79,688	--a------	C:\Windows\System32\drivers\iksyssec.sys
2008-07-11 11:36 . 2007-10-04 17:10	62,280	--a------	C:\Windows\System32\drivers\iksysflt.sys
2008-07-11 11:36 . 2007-10-04 17:10	41,288	--a------	C:\Windows\System32\drivers\ikfilesec.sys
2008-07-11 11:36 . 2007-10-04 17:11	29,000	--a------	C:\Windows\System32\drivers\kcom.sys
2008-07-11 00:56 . 2008-07-11 00:56	<DIR>	d--------	C:\Program Files\CCleaner
2008-07-11 00:52 . 2007-09-06 00:22	289,144	--a------	C:\Windows\System32\VCCLSID.exe
2008-07-11 00:52 . 2006-04-27 17:49	288,417	--a------	C:\Windows\System32\SrchSTS.exe
2008-07-11 00:52 . 2008-05-29 09:35	86,528	--a------	C:\Windows\System32\VACFix.exe
2008-07-11 00:52 . 2008-05-18 21:40	82,944	--a------	C:\Windows\System32\IEDFix.exe
2008-07-11 00:52 . 2008-07-02 13:33	82,432	--a------	C:\Windows\System32\IEDFix.C.exe
2008-07-11 00:52 . 2008-05-23 18:21	81,920	--a------	C:\Windows\System32\404Fix.exe
2008-07-11 00:52 . 2003-06-05 21:13	53,248	--a------	C:\Windows\System32\Process.exe
2008-07-11 00:52 . 2004-07-31 18:50	51,200	--a------	C:\Windows\System32\dumphive.exe
2008-07-11 00:52 . 2007-10-04 00:36	25,600	--a------	C:\Windows\System32\WS2Fix.exe
2008-07-11 00:52 . 2008-07-11 00:52	4,802	--a------	C:\Windows\System32\tmp.reg
2008-07-11 00:51 . 2008-07-11 00:52	<DIR>	d--------	C:\Windows\SmitfraudFix
2008-07-10 12:25 . 2008-07-10 12:25	19,968	--a------	C:\Windows\System32\nvf.dll
2008-07-10 12:21 . 2008-07-10 12:21	19,968	--a------	C:\Windows\System32\nvgfilter.dll
2008-07-10 11:27 . 2008-07-10 11:27	33,152	--a------	C:\Windows\System32\tuvUNHAS.dll
2008-07-10 11:27 . 2008-07-10 11:27	33,152	--a------	C:\Windows\System32\pmnlljIa.dll
2008-07-10 11:27 . 2008-07-10 11:27	33,152	--a------	C:\Windows\System32\opnmNDvu.dll
2008-07-10 11:27 . 2008-07-10 11:27	33,152	--a------	C:\Windows\System32\jkkHXnOe.dll
2008-06-26 15:10 . 2008-06-26 15:10	42,320	--a------	C:\Windows\System32\xfcodec.dll
2008-06-18 23:57 . 2008-06-18 23:57	<DIR>	d--------	C:\Program Files\Lavasoft

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-15 02:05	---------	d-----w	C:\Users\Amin Elmesquine\AppData\Roaming\Xfire
2008-07-13 22:14	---------	d-----w	C:\Users\Amin Elmesquine\AppData\Roaming\uTorrent
2008-07-13 05:06	---------	d-----w	C:\ProgramData\Xfire
2008-07-11 16:35	---------	d-----w	C:\Users\Amin Elmesquine\AppData\Roaming\Download Manager
2008-07-11 16:34	---------	d-----w	C:\Users\Amin Elmesquine\AppData\Roaming\Apple Computer
2008-07-11 11:04	---------	d-----w	C:\Program Files\QuickTime
2008-07-11 06:17	---------	d-----w	C:\Users\Amin Elmesquine\AppData\Roaming\ImgBurn
2008-07-11 05:50	---------	d-----w	C:\ProgramData\Spybot - Search & Destroy
2008-07-10 16:22	---------	d-----w	C:\Program Files\Common Files\Adobe
2008-07-09 02:11	---------	d-----w	C:\Users\Amin Elmesquine\AppData\Roaming\Vso
2008-07-09 01:58	---------	d-----w	C:\ProgramData\DVD Shrink
2008-07-03 05:46	---------	d-----w	C:\Program Files\Safari
2008-07-01 15:27	---------	d-s---w	C:\Program Files\Xfire
2008-06-19 04:57	---------	d-----w	C:\Users\Amin Elmesquine\AppData\Roaming\Lavasoft
2008-06-12 19:00	---------	d-----w	C:\Program Files\DivX
2008-06-02 05:49	---------	d-----w	C:\Program Files\Datel
2008-05-30 23:22	823,296	----a-w	C:\Windows\System32\divx_xx0c.dll
2008-05-30 23:22	823,296	----a-w	C:\Windows\System32\divx_xx07.dll
2008-05-30 23:22	815,104	----a-w	C:\Windows\System32\divx_xx0a.dll
2008-05-30 23:22	802,816	----a-w	C:\Windows\System32\divx_xx11.dll
2008-05-30 23:22	683,520	----a-w	C:\Windows\System32\DivX.dll
2008-05-30 23:22	593,920	----a-w	C:\Windows\System32\dpuGUI11.dll
2008-05-30 23:22	57,344	----a-w	C:\Windows\System32\dpv11.dll
2008-05-30 23:22	53,248	----a-w	C:\Windows\System32\dpuGUI10.dll
2008-05-30 23:22	344,064	----a-w	C:\Windows\System32\dpus11.dll
2008-05-30 23:22	294,912	----a-w	C:\Windows\System32\dpu11.dll
2008-05-30 23:22	294,912	----a-w	C:\Windows\System32\dpu10.dll
2008-05-27 16:51	---------	d-----w	C:\ProgramData\Viewpoint
2008-05-27 16:51	---------	d-----w	C:\ProgramData\AOL
2008-05-27 16:51	---------	d-----w	C:\Program Files\AIM6
2008-05-27 16:44	---------	d-----w	C:\ProgramData\AOL Downloads
2008-05-22 22:22	524,288	----a-w	C:\Windows\System32\DivXsm.exe
2008-05-22 22:22	3,596,288	----a-w	C:\Windows\System32\qt-dx331.dll
2008-05-22 22:20	200,704	----a-w	C:\Windows\System32\ssldivx.dll
2008-05-22 22:20	1,044,480	----a-w	C:\Windows\System32\libdivx.dll
2008-05-22 22:19	81,920	----a-w	C:\Windows\System32\dpl100.dll
2008-05-22 22:19	196,608	----a-w	C:\Windows\System32\dtu100.dll
2008-05-22 22:19	161,096	----a-w	C:\Windows\System32\DivXCodecVersionChecker.exe
2008-05-22 22:18	12,288	----a-w	C:\Windows\System32\DivXWMPExtType.dll
2007-10-11 06:38	22,328	----a-w	C:\Users\Amin Elmesquine\AppData\Roaming\PnkBstrK.sys
2007-02-02 10:36	87,608	----a-w	C:\Users\Amin Elmesquine\AppData\Roaming\ezpinst.exe
2007-02-02 10:36	47,360	----a-w	C:\Users\Amin Elmesquine\AppData\Roaming\pcouffin.sys
2006-11-02 12:49	174	--sha-w	C:\Program Files\desktop.ini
2007-02-02 07:06	16,384	--sha-w	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-02-02 07:06	32,768	--sha-w	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-02-02 07:06	16,384	--sha-w	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
2007-04-01 18:56	16,384	--sha-w	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-04-01 18:56	32,768	--sha-w	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-04-01 18:56	16,384	--sha-w	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
2007-06-26 22:20	131,145	--sha-r	C:\Windows\System32\ope1B30.exe
2007-06-26 22:21	131,145	--sha-r	C:\Windows\System32\ope1CA2.exe
2007-06-26 22:21	131,145	--sha-r	C:\Windows\System32\ope4F5B.exe
2007-06-26 22:20	131,145	--sha-r	C:\Windows\System32\opeAB8E.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2006-11-02 07:33 1196032]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 07:34 125440]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 05:48 157592]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 12:54 5674352]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [2007-12-22 02:23 221568]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 07:33 201728]
"WindowsWelcomeCenter"="oobefldr.dll" [2006-11-02 07:32 2159104 C:\Windows\System32\oobefldr.dll]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"NeroFilterCheck"="C:\Windows\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2006-03-17 21:24 184320]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 04:01 32768]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-04-26 16:17 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-04-26 16:17 8429568]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-04-26 16:17 81920]
"amd_dc_opt"="C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2006-11-17 16:49 77824]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-03 22:04 185632]
"CanonSolutionMenu"="C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 20:01 644696]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 20:50 1603152]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 10:03 210472]
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 13:02 79400]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2008-07-11 11:38 1065800]
"SoundMan"="SOUNDMAN.EXE" [2005-08-17 05:39 90112 C:\Windows\soundman.exe]

C:\Users\Amin Elmesquine\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Xfire.lnk - C:\Program Files\Xfire\xfire.exe [2008-06-26 15:10:40 3031376]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= "C:\Program Files\DVDIdle Pro\DVDShell.dll" [2004-10-09 16:18 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{48D95517-0425-43DA-A25B-9EF0BBAF0BF1}C:\\program files\\turbo torrent\\ttorrent.exe"= UDP:C:\program files\turbo torrent\ttorrent.exe:ttorrent
"UDP Query User{3AD0AC96-F62F-4C65-BC92-32DFC3587DAC}C:\\program files\\turbo torrent\\ttorrent.exe"= TCP:C:\program files\turbo torrent\ttorrent.exe:ttorrent
"{C5147B1D-88B1-4BB3-9BC7-F6B9C6888A82}"= UDP:C:\Program Files\uTorrent\utorrent.exe:µTorrent
"{C6D36C85-B1EC-48F8-83A1-97D852F6459B}"= TCP:C:\Program Files\uTorrent\utorrent.exe:µTorrent
"{D8ED019F-E5AA-4EAD-9AF4-821777AA2588}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{C2471414-DBBE-47D8-A966-0AD56DE7873C}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"TCP Query User{598D366A-934A-460D-AFF7-6706CFF14ADE}C:\\program files\\xfire\\xfire.exe"= UDP:C:\program files\xfire\xfire.exe:Xfire
"UDP Query User{E80ABABC-1A1D-44EF-A5CC-0605EBCFFC2F}C:\\program files\\xfire\\xfire.exe"= TCP:C:\program files\xfire\xfire.exe:Xfire
"TCP Query User{A677CAA3-A720-4AF0-B7DB-E351B8CF4F27}C:\\program files\\america's army\\system\\armyops.exe"= UDP:C:\program files\america's army\system\armyops.exe:ArmyOps
"UDP Query User{F40E8E36-03AD-4101-9FEF-3E451DF1B39E}C:\\program files\\america's army\\system\\armyops.exe"= TCP:C:\program files\america's army\system\armyops.exe:ArmyOps
"TCP Query User{F20FDA5F-1935-4F44-BF5C-2EF143225D5F}C:\\program files\\aim6\\aim6.exe"= UDP:C:\program files\aim6\aim6.exe:AIM
"UDP Query User{B1586CED-5DB8-478E-A1E3-9609E6BFD1DF}C:\\program files\\aim6\\aim6.exe"= TCP:C:\program files\aim6\aim6.exe:AIM
"{CF9B9B36-BE9F-4265-86AD-E4D9847E3375}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{970CBA02-A835-43CB-8198-A541C623F688}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{5D88C314-A15E-4BFF-8373-876E9024A483}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{B04BFF8F-EA2E-432B-873C-29AA14EB1717}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{D36F1F54-4567-40E9-8B58-1D6090D0086C}"= UDP:C:\Program Files\EA GAMES\Battlefield 2\BF2.exe:Battlefield 2
"{4B9F98F9-ABCE-4AD3-AAD9-F5619AE42AA2}"= TCP:C:\Program Files\EA GAMES\Battlefield 2\BF2.exe:Battlefield 2
"TCP Query User{85CDCC6B-24D0-41B6-8C91-D5460BF7BCFA}C:\\program files\\warez\\warez.exe"= UDP:C:\program files\warez\warez.exe:Warez
"UDP Query User{412D0444-9B89-46AC-98FC-06744D122150}C:\\program files\\warez\\warez.exe"= TCP:C:\program files\warez\warez.exe:Warez
"{F4BDF477-547C-4865-BAA2-38AAAE94B64F}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{968C1F73-CC04-4070-AC09-EF379E469BB6}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{CF58555A-8515-4434-9D2C-5F4E9A142A2D}"= UDP:C:\Program Files\Microsoft Games\Age of Empires III\age3x.exe:Age of Empires III - The WarChiefs
"{6AA9BB07-8B47-4F93-8D38-502518A56690}"= TCP:C:\Program Files\Microsoft Games\Age of Empires III\age3x.exe:Age of Empires III - The WarChiefs
"{A5C81A6E-41F9-42F0-A23C-FAC197A3C517}"= C:\Program Files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"{85351161-C384-4857-BB12-315194228579}"= UDP:C:\Program Files\Ubisoft\Tom Clancy's Rainbow Six Vegas\Binaries\R6Vegas_Game.exe:Rainbow Six Vegas
"{10443E08-6D1C-4444-AB47-7260AD8D57A1}"= TCP:C:\Program Files\Ubisoft\Tom Clancy's Rainbow Six Vegas\Binaries\R6Vegas_Game.exe:Rainbow Six Vegas
"{AF30454B-28C3-4F5B-9F5D-6D7B6155CE10}"= UDP:C:\Program Files\Ubisoft\Tom Clancy's Rainbow Six Vegas\Binaries\R6Vegas_Launcher.exe:Rainbow Six Vegas Updater
"{E38E1253-F3C6-4BD2-B350-56585E8795D4}"= TCP:C:\Program Files\Ubisoft\Tom Clancy's Rainbow Six Vegas\Binaries\R6Vegas_Launcher.exe:Rainbow Six Vegas Updater
"{F2A8C72C-18FE-49CC-BFF1-15AADE4E2C42}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{FF65BAC3-6431-4339-A39C-C3B5744B4CCD}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{6A7BC0FA-9CAF-461B-A346-C6C1249B07F1}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{E8E356BC-F0E2-410F-B9BA-E5E6F392ABD1}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{7B87927A-2216-4AD1-B022-BFE30669A531}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{FAC69C5A-11AF-4C1D-BF43-BFAB5146AB37}"= UDP:C:\Windows\System32\PnkBstrA.exenkBstrA
"{8315E1AF-6F9C-4644-A87D-8732ABCF5569}"= TCP:C:\Windows\System32\PnkBstrA.exenkBstrA
"{892B8151-FC89-47E1-87FB-2FB36241E391}"= UDP:C:\Windows\System32\PnkBstrB.exenkBstrB
"{2BC554DB-EAFB-47D2-91EC-A597844951E1}"= TCP:C:\Windows\System32\PnkBstrB.exenkBstrB
"{FC5C6E23-BA87-4AEA-82C0-52CA766C6863}"= UDP:C:\Program Files\id Software\Enemy Territory - QUAKE Wars\etqwded.exe:etqwded.exe
"{191D2C1A-6822-4F54-BB33-29A1F67B4F08}"= TCP:C:\Program Files\id Software\Enemy Territory - QUAKE Wars\etqwded.exe:etqwded.exe
"{E4F7B6A9-1FA7-43B9-8911-3E584384FD37}"= UDP:C:\Program Files\id Software\Enemy Territory - QUAKE Wars\etqw.exe:Enemy Territory - QUAKE Wars(TM) 
"{6B1F30D5-909C-42F5-89D3-DBEB70F4B5B3}"= TCP:C:\Program Files\id Software\Enemy Territory - QUAKE Wars\etqw.exe:Enemy Territory - QUAKE Wars(TM) 
"{36C0D1B6-1ECF-42ED-91D5-D9B5A626F6A6}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{075A2168-7F15-4B82-B43B-CDB3ED21ED63}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{C50DE919-E902-468D-907E-9E5717C6B7B2}"= UDP:C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:Call of Duty(R) 4 - Modern Warfare(TM) 
"{3FEC9F80-0C79-4F01-B312-0A6C14CAE258}"= TCP:C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:Call of Duty(R) 4 - Modern Warfare(TM) 
"{69E745AC-2355-4DF2-AAFB-BAA5A9BAEF12}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{304A7C26-BA16-45A1-A1AB-24EE5F2CF9D3}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{3AB64A1B-9644-4086-9742-F996DBDE8FCB}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{BD36198A-AA11-49AC-A26E-EAFF5EBEEEC2}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{DF437572-7DBE-458E-A0E4-9C5AE2E59A19}"= UDP:C:\Program Files\AIM6\aim6.exe:AIM
"{82275C33-4A99-4234-889E-3B4BD8CC143B}"= TCP:C:\Program Files\AIM6\aim6.exe:AIM

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R0 PxHelper;PxHelper;C:\Windows\system32\drivers\PxHelper.sys [2000-02-05 12:01]
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2006-05-04 11:21]
R2 IJPLMSVC;PIXMA Extended Survey Program;C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE [2007-04-13 11:20]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 16:38]
S0 OemBiosDevice;Royalty OEM Bios Extension;C:\Windows\system32\drivers\royal.sys [2007-06-11 02:00]
S2 TimerStop;TimerStop;C:\Windows\system32\timerstop.sys [2007-02-02 02:28]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\shell\AutoRun\command - E:\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\shell\AutoRun\command - H:\launcher.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\shell\AutoRun\command - I:\autorun.exe
\shell\setup\command - I:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{824fa05b-012a-11dc-b50f-00508ddba7e3}]
\shell\AutoRun\command - J:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{85690c21-b2aa-11db-b04a-00508ddba7e3}]
\shell\AutoRun\command - E:\launcher.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-07-14 17:52:14 C:\Windows\Tasks\User_Feed_Synchronization-{05193892-C24F-431E-A236-FCE4F1E9765B}.job"
- C:\Windows\system32\msfeedssync.exe
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)
HKLM-Run-MSServer - C:\Windows\system32\awtRkLCR.dll
HKLM-Run-Microsoft Corp Updates - wupdates.exe
HKLM-RunServices-Microsoft Corp Updates - wupdates.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-15 03:04:18
Windows 6.0.6000  NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 


C:\Windows\TEMP\TMP0000008490D729C2EF773D7E

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2008-07-15  3:06:10
ComboFix-quarantined-files.txt  2008-07-15 08:06:04

Pre-Run: 145,422,884,864 bytes free
Post-Run: 145,476,390,912 bytes free

257


----------



## SAD_DC

And heres Hijack this.
I really appreciate the help by the way.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:11:07, on 7/15/2008
Platform: Windows Vista  (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Windows\soundman.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\ScanSoft\OmniPageSE4\OpWareSE4.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\wermgr.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IESiteBlocker.NavFilter  - {1AB6932F-92FE-42E6-870C-544AE458EA78} - C:\Windows\system32\nvf.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Microsoft Corp Updates] wupdates.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Windows\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\awtRkLCR.dll,#1
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\RunServices: [Microsoft Corp Updates] wupdates.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\AMINEL~1\AppData\Local\Temp\mlJAqnMC.dll,#1
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\AMINEL~1\AppData\Local\Temp\xxyyxuvU.dll,c
O4 - HKCU\..\Run: [BMf76466eb] Rundll32.exe "C:\Users\AMINEL~1\AppData\Local\Temp\ojasynkf.dll",s
O4 - HKCU\..\Run: [f4575577] rundll32.exe "C:\Users\AMINEL~1\AppData\Local\Temp\ihbslpds.dll",b
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix: 
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10145 bytes


----------



## SAD_DC

double post sorry


----------



## cohen

Please do a scan with Kaspersky Online Scanner

Click on the *Accept* button and install any components it needs.
The program will install and then begin downloading the latest definition files.
After the files have been downloaded on the left side of the page in the *Scan* section select *My Computer*.
This will start the program and scan your system.
The scan will take a while, so be patient and let it run.
Once the scan is complete, click on *View scan report*
Now, click on the *Save Report as* button.
In the drop down box labeled *Files of type* change the type to *Text file*.
Save the file to your desktop.
Copy and paste that information in your next post.


----------



## SAD_DC

Ok I will try that and get back to you.


----------



## SAD_DC

heres the report... wow this thing took about 2 hrs heh.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
 Wednesday, July 16, 2008
 Operating System: Microsoft Windows Vista Ultimate Edition, 32-bit (build 6000)
 Kaspersky Online Scanner 7 version: 7.0.25.0
 Program database last update: Wednesday, July 16, 2008 15:58:48
 Records in database: 959798
--------------------------------------------------------------------------------

Scan settings:
	Scan using the following database: extended
	Scan archives: yes
	Scan mail databases: yes

Scan area - My Computer:
	A:\
	C:\
	D:\
	E:\
	F:\
	G:\
	H:\
	I:\
	J:\
	K:\
	L:\
	M:\

Scan statistics:
	Files scanned: 114064
	Threat name: 6
	Infected objects: 14
	Suspicious objects: 0
	Duration of the scan: 01:52:06


File name / Threat name / Threats count
C:\QooBox\Quarantine\C\Windows\System32\awtRkLCR.dll.vir	Infected: Trojan.Win32.Monderc.gen	1
C:\QooBox\Quarantine\C\Windows\System32\efcdbcax.dll.vir	Infected: Trojan.Win32.Monderc.gen	1
C:\QooBox\Quarantine\C\Windows\System32\tuvWmlKA.dll.vir	Infected: Trojan.Win32.Monderc.gen	1
C:\QooBox\Quarantine\C\Windows\System32\urQijHaA.dll.vir	Infected: Trojan.Win32.Monderc.gen	1
C:\Users\Amin Elmesquine\AppData\Local\Temp\xxyyxuvU.dll	Infected: Trojan.Win32.Monderc.gen	1
C:\Users\Amin Elmesquine\Desktop\Vista.All.x86x32.OneClick.Activator CLoNY [new]\Vista.All.x86x32.OneClick.Activator CLoNY [new].rar	Infected: Trojan-PSW.Win32.Steam.az	1
C:\Users\Amin Elmesquine\Desktop\Vista.All.x86x32.OneClick.Activator CLoNY [new]\Vista.All.x86x32.OneClick.Activator CLoNY [new].rar	Infected: Trojan-PSW.Win32.Steam.dj	1
C:\Windows\SmitfraudFix\Reboot.exe	Infected: not-a-virus:RiskTool.Win32.Reboot.f	1
C:\Windows\System32\jkkHXnOe.dll	Infected: Trojan.Win32.Monderb.gen	1
C:\Windows\System32\nvf.dll	Infected: Trojan.Win32.BHO.exo	1
C:\Windows\System32\nvgfilter.dll	Infected: Trojan.Win32.BHO.exo	1
C:\Windows\System32\opnmNDvu.dll	Infected: Trojan.Win32.Monderb.gen	1
C:\Windows\System32\pmnlljIa.dll	Infected: Trojan.Win32.Monderb.gen	1
C:\Windows\System32\tuvUNHAS.dll	Infected: Trojan.Win32.Monderb.gen	1

The selected area was scanned.


----------



## GameMaster

Download The Avenger by Swandog46, and save it to your Desktop.

Extract avenger.exe from the Zip file and save it to your Desktop.
Run *avenger.exe* by double-clicking on it.
The Do not change any check box options!!
Copy everything in the Quote box below, and paste it into the *Input script here:* part of the window:



> Files to delete:
> C:\Windows\System32\pmnlljIa.dll
> C:\Windows\System32\tuvUNHAS.dll
> C:\Windows\System32\jkkHXnOe.dll
> C:\Windows\System32\opnmNDvu.dll
> C:\Windows\System32\nvgfilter.dll
> C:\Windows\System32\nvf.dll
> C:\Windows\SmitfraudFix\Reboot.exe
> C:\Users\Amin Elmesquine\Desktop\Vista.All.x86x32.OneClick.Activ ator CLoNY [new]\Vista.All.x86x32.OneClick.Activator CLoNY [new].rar
> C:\Users\Amin Elmesquine\Desktop\Vista.All.x86x32.OneClick.Activ ator CLoNY [new]\Vista.All.x86x32.OneClick.Activator CLoNY [new].rar
> C:\Users\Amin Elmesquine\AppData\Local\Temp\xxyyxuvU.dll
> C:\QooBox\Quarantine\C\Windows\System32\awtRkLCR.d ll.vir



Now click the *Execute* button.
Click Yes to the prompt to confirm you want to execute.
Click Yes to the Reboot now? question that will appear when Avenger finishes running.
Your PC should reboot, if not, reboot it yourself.
A log file from Avenger will be produced at *C:\avenger.txt* and it will popup for you to view when you login after reboot.
Please post the content of the logfile.


----------



## SAD_DC

heres the log....



Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\Windows\System32\pmnlljIa.dll" deleted successfully.
File "C:\Windows\System32\tuvUNHAS.dll" deleted successfully.
File "C:\Windows\System32\jkkHXnOe.dll" deleted successfully.
File "C:\Windows\System32\opnmNDvu.dll" deleted successfully.
File "C:\Windows\System32\nvgfilter.dll" deleted successfully.
File "C:\Windows\System32\nvf.dll" deleted successfully.
File "C:\Windows\SmitfraudFix\Reboot.exe" deleted successfully.

Error:  could not open file "C:\Users\Amin Elmesquine\Desktop\Vista.All.x86x32.OneClick.Activ ator CLoNY [new]\Vista.All.x86x32.OneClick.Activator CLoNY [new].rar"
Deletion of file "C:\Users\Amin Elmesquine\Desktop\Vista.All.x86x32.OneClick.Activ ator CLoNY [new]\Vista.All.x86x32.OneClick.Activator CLoNY [new].rar" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
  --> bad path / the parent directory does not exist


Error:  could not open file "C:\Users\Amin Elmesquine\Desktop\Vista.All.x86x32.OneClick.Activ ator CLoNY [new]\Vista.All.x86x32.OneClick.Activator CLoNY [new].rar"
Deletion of file "C:\Users\Amin Elmesquine\Desktop\Vista.All.x86x32.OneClick.Activ ator CLoNY [new]\Vista.All.x86x32.OneClick.Activator CLoNY [new].rar" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
  --> bad path / the parent directory does not exist


Error:  file "C:\Users\Amin Elmesquine\AppData\Local\Temp\xxyyxuvU.dll" not found!
Deletion of file "C:\Users\Amin Elmesquine\AppData\Local\Temp\xxyyxuvU.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\QooBox\Quarantine\C\Windows\System32\awtRkLCR.d ll.vir" not found!
Deletion of file "C:\QooBox\Quarantine\C\Windows\System32\awtRkLCR.d ll.vir" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Completed script processing.

*******************

Finished!  Terminate.


----------



## GameMaster

Hi, how's your system running now? Any problems?
Let's have a look at the fresh HijackThis log, please.


----------



## SAD_DC

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:11:07, on 7/15/2008
Platform: Windows Vista  (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Windows\soundman.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\ScanSoft\OmniPageSE4\OpWareSE4.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\wermgr.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IESiteBlocker.NavFilter  - {1AB6932F-92FE-42E6-870C-544AE458EA78} - C:\Windows\system32\nvf.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Microsoft Corp Updates] wupdates.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Windows\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\awtRkLCR.dll,#1
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\RunServices: [Microsoft Corp Updates] wupdates.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\AMINEL~1\AppData\Local\Temp\mlJAqnMC.dll,#1
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\AMINEL~1\AppData\Local\Temp\xxyyxuvU.dll,c
O4 - HKCU\..\Run: [BMf76466eb] Rundll32.exe "C:\Users\AMINEL~1\AppData\Local\Temp\ojasynkf.dll",s
O4 - HKCU\..\Run: [f4575577] rundll32.exe "C:\Users\AMINEL~1\AppData\Local\Temp\ihbslpds.dll",b
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix: 
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10145 bytes


----------



## SAD_DC

Its still running slow but I think the trojan is gone...

Thanks so much I will post again If I have problems. thanks again.


----------



## johnb35

What about these entries????  I think your still infected...


O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\awtRkLCR.dll,#1
 O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\AMINEL~1\AppData\Local\Temp\mlJAqnMC.dll, #1
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\AMINEL~1\AppData\Local\Temp\xxyyxuvU.dll, c
O4 - HKCU\..\Run: [BMf76466eb] Rundll32.exe "C:\Users\AMINEL~1\AppData\Local\Temp\ojasynkf.dll ",s
O4 - HKCU\..\Run: [f4575577] rundll32.exe "C:\Users\AMINEL~1\AppData\Local\Temp\ihbslpds.dll ",b

Would anybody agree with me?


----------



## johnb35

Until gamemaster replies or some one else, you can try downloading and running superantispyware and malwarebytes antimalware and then rerun combofix and then repost the new combofix log with a new hijackthis log


----------



## cohen

johnb35 said:


> What about these entries????  I think your still infected...
> 
> 
> O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\awtRkLCR.dll,#1
> O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\AMINEL~1\AppData\Local\Temp\mlJAqnMC.dll, #1
> O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\AMINEL~1\AppData\Local\Temp\xxyyxuvU.dll, c
> O4 - HKCU\..\Run: [BMf76466eb] Rundll32.exe "C:\Users\AMINEL~1\AppData\Local\Temp\ojasynkf.dll ",s
> O4 - HKCU\..\Run: [f4575577] rundll32.exe "C:\Users\AMINEL~1\AppData\Local\Temp\ihbslpds.dll ",b
> 
> Would anybody agree with me?



As for those, the look like they are in the temp folder.

Might be worth running CCleaner.


----------



## SAD_DC

actually there Is somethign else...
my clock is using European Time setting i.e (instead of 1pm its 13.00) how can I get rid of this. Its looks funny and I perfer the regular setting.

Thanks alot for the help by the way I REALLY appreciate it.

oh p.s the dark knight kicked a$$  

Thanks again.


----------



## GameMaster

John, you're right, not all viruses are gone.

*SAD_DC:*
Please open your HijackThis again and choose *Do a system scan only.*
Place a check next to these entries:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\awtRkLCR.dll,#1
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\AMINEL~1\AppData\Local\Temp\mlJAqnMC.dll, #1
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\AMINEL~1\AppData\Local\Temp\xxyyxuvU.dll, c
O4 - HKCU\..\Run: [BMf76466eb] Rundll32.exe "C:\Users\AMINEL~1\AppData\Local\Temp\ojasynkf.dll ",s
O4 - HKCU\..\Run: [f4575577] rundll32.exe "C:\Users\AMINEL~1\AppData\Local\Temp\ihbslpds.dll ",b
O13 - Gopher Prefix:

Now close all open windows except the HijackThis and click *Fix checked.*
Reboot your computer.

When done, go to *Start->Control Panel->Add or Remove Programs-> *find *Viewpoint Manager/Viewpoint Service/Viewpoint Player*... uninstall anything that has Viewpoint in its name.

Then reboot your computer again.
How's your system running now ? Surely a lot better. Please post a fresh HijackThis log.


----------



## SAD_DC

here you go..
oh and the thing with the time setting?






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:11:07, on 7/15/2008
Platform: Windows Vista  (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Windows\soundman.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\ScanSoft\OmniPageSE4\OpWareSE4.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\wermgr.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IESiteBlocker.NavFilter  - {1AB6932F-92FE-42E6-870C-544AE458EA78} - C:\Windows\system32\nvf.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Microsoft Corp Updates] wupdates.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Windows\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\awtRkLCR.dll,#1
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\RunServices: [Microsoft Corp Updates] wupdates.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\AMINEL~1\AppData\Local\Temp\mlJAqnMC.dll,#1
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\AMINEL~1\AppData\Local\Temp\xxyyxuvU.dll,c
O4 - HKCU\..\Run: [BMf76466eb] Rundll32.exe "C:\Users\AMINEL~1\AppData\Local\Temp\ojasynkf.dll",s
O4 - HKCU\..\Run: [f4575577] rundll32.exe "C:\Users\AMINEL~1\AppData\Local\Temp\ihbslpds.dll",b
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix: 
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10145 bytes


----------



## magna86

..save mode (restart , f8 , select save mode)
*fix *

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
 	O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)


 	O4 - HKLM\..\Run: [Microsoft Corp Updates] wupdates.exe
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\awtRkLCR.dll,#1


O4 - HKLM\..\RunServices: [Microsoft Corp Updates] wupdates.exe
 	O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\AMINEL~1\AppData\Local\Temp\mlJAqnMC.dll, #1
 	O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\AMINEL~1\AppData\Local\Temp\xxyyxuvU.dll, c
 	O4 - HKCU\..\Run: [BMf76466eb] Rundll32.exe "C:\Users\AMINEL~1\AppData\Local\Temp\ojasynkf.dll ",s
 	O4 - HKCU\..\Run: [f4575577] rundll32.exe "C:\Users\AMINEL~1\AppData\Local\Temp\ihbslpds.dll ",b

O13 - Gopher Prefix:


----------



## G25r8cer

^^ Dont mess with BHO's! 

As for the time: Go to Control Panel - Regional and Language Settings  Change format to "English (United States) is it is not selected. Then click "Customize this format" and click the "Time" tab. You can adjust your time settings there.


----------



## johnb35

SAD_DC said:


> here you go..
> oh and the thing with the time setting?
> 
> 
> 
> 
> 
> 
> Logfile of Trend Micro HijackThis v2.0.2
> Scan saved at 01:11:07, on 7/15/2008
> Platform: Windows Vista  (WinNT 6.00.1904)
> MSIE: Internet Explorer v7.00 (7.00.6000.16386)
> Boot mode: Normal
> 
> Running processes:
> C:\Windows\System32\smss.exe
> C:\Windows\system32\csrss.exe
> C:\Windows\system32\wininit.exe
> C:\Windows\system32\csrss.exe
> C:\Windows\system32\services.exe
> C:\Windows\system32\lsass.exe
> C:\Windows\system32\lsm.exe
> C:\Windows\system32\winlogon.exe
> C:\Windows\system32\svchost.exe
> C:\Windows\system32\svchost.exe
> C:\Windows\System32\svchost.exe
> C:\Windows\System32\svchost.exe
> C:\Windows\System32\svchost.exe
> C:\Windows\system32\svchost.exe
> C:\Windows\system32\SLsvc.exe
> C:\Windows\system32\svchost.exe
> C:\Windows\system32\svchost.exe
> C:\Windows\System32\spoolsv.exe
> C:\Windows\system32\svchost.exe
> C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
> C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
> C:\Program Files\Common Files\LightScribe\LSSrvc.exe
> C:\Windows\system32\PnkBstrA.exe
> C:\Windows\system32\svchost.exe
> C:\Program Files\Spyware Doctor\svcntaux.exe
> C:\Program Files\Spyware Doctor\swdsvc.exe
> C:\Windows\system32\svchost.exe
> C:\Program Files\Viewpoint\Common\ViewpointService.exe
> C:\Windows\System32\svchost.exe
> C:\Windows\system32\SearchIndexer.exe
> C:\Windows\system32\taskeng.exe
> C:\Windows\system32\taskeng.exe
> C:\Windows\system32\Dwm.exe
> C:\Windows\Explorer.EXE
> C:\Program Files\Windows Defender\MSASCui.exe
> C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
> C:\Windows\soundman.exe
> C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
> C:\Windows\System32\rundll32.exe
> C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
> C:\Program Files\Common Files\Real\Update_OB\realsched.exe
> C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
> C:\Program Files\ScanSoft\OmniPageSE4\OpWareSE4.exe
> C:\Program Files\iTunes\iTunesHelper.exe
> C:\Program Files\Spyware Doctor\SDTrayApp.exe
> C:\Windows\ehome\ehtray.exe
> C:\Windows\system32\wbem\unsecapp.exe
> C:\Program Files\Windows Media Player\wmpnscfg.exe
> C:\Windows\System32\rundll32.exe
> C:\Windows\system32\wbem\wmiprvse.exe
> C:\Program Files\Windows Media Player\wmpnetwk.exe
> C:\Windows\ehome\ehmsas.exe
> C:\Program Files\iPod\bin\iPodService.exe
> C:\Windows\System32\rundll32.exe
> C:\Windows\system32\wermgr.exe
> C:\Program Files\Windows Sidebar\sidebar.exe
> C:\Windows\system32\wuauclt.exe
> C:\Windows\system32\rundll32.exe
> C:\Windows\system32\rundll32.exe
> C:\Windows\system32\rundll32.exe
> C:\Windows\system32\rundll32.exe
> C:\Windows\system32\rundll32.exe
> C:\PROGRA~1\Mozilla Firefox\firefox.exe
> C:\Windows\system32\SearchProtocolHost.exe
> C:\Windows\system32\SearchFilterHost.exe
> C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
> C:\Windows\system32\wbem\wmiprvse.exe
> 
> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
> R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
> R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
> R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
> R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
> R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
> O1 - Hosts: ::1 localhost
> O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
> O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
> O2 - BHO: IESiteBlocker.NavFilter  - {1AB6932F-92FE-42E6-870C-544AE458EA78} - C:\Windows\system32\nvf.dll
> O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
> O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
> O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
> O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
> O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
> O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
> O4 - HKLM\..\Run: [Microsoft Corp Updates] wupdates.exe
> O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
> O4 - HKLM\..\Run: [NeroFilterCheck] C:\Windows\system32\NeroCheck.exe
> O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
> O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
> O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
> O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
> O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
> O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
> O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
> O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
> O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
> O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
> O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
> O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
> O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
> O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
> O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\awtRkLCR.dll,#1
> O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
> O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
> O4 - HKLM\..\RunServices: [Microsoft Corp Updates] wupdates.exe
> O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
> O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
> O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
> O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
> O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
> O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
> O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
> O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\AMINEL~1\AppData\Local\Temp\mlJAqnMC.dll,#1
> O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\AMINEL~1\AppData\Local\Temp\xxyyxuvU.dll,c
> O4 - HKCU\..\Run: [BMf76466eb] Rundll32.exe "C:\Users\AMINEL~1\AppData\Local\Temp\ojasynkf.dll",s
> O4 - HKCU\..\Run: [f4575577] rundll32.exe "C:\Users\AMINEL~1\AppData\Local\Temp\ihbslpds.dll",b
> O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
> O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
> O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
> O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
> O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
> O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
> O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
> O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
> O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
> O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
> O13 - Gopher Prefix:
> O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
> O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
> O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
> O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
> O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
> O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
> O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
> O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
> O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
> O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
> O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
> O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
> 
> --
> End of file - 10145 bytes



You are still not clean.  Run superantispyware and malwarebytes antimalware programs but update them first after downloading and see if those will take care of these items....


O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\AMINEL~1\AppData\Local\Temp\mlJAqnMC.dll, #1
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\AMINEL~1\AppData\Local\Temp\xxyyxuvU.dll, c
O4 - HKCU\..\Run: [BMf76466eb] Rundll32.exe "C:\Users\AMINEL~1\AppData\Local\Temp\ojasynkf.dll ",s
O4 - HKCU\..\Run: [f4575577] rundll32.exe "C:\Users\AMINEL~1\AppData\Local\Temp\ihbslpds.dll ",b
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\awtRkLCR.dll,#1


----------



## johnb35

I just realized that you haven't ran combofix yet.  Download from here and run it and then post the log that appears after its done running.

http://download.bleepingcomputer.com/sUBs/ComboFix.exe


----------



## magna86

> ^^ Dont mess with BHO's!



wt..?

*O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)*
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IESiteBlocker.NavFilter - {1AB6932F-92FE-42E6-870C-544AE458EA78} - C:\Windows\system32\nvf.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
*O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)*

unnecessary entry, and file is missing -that can be fixed!

btw...

To see if these items are malware, they can be looked up at the following website-
http://computercops.biz/CLSID.html 
egzemple...
Copy the CLSID (e.g. {1AB6932F-92FE-42E6-870C-544AE458EA78})
 or file name e.g. nvf.dll into the search box on the above site and click "Search". 
If the BHO name is found then you will notice a letter in the status column of the line. This letter will be one of the following-
X for certified spyware/foistware, or other malware,  
L for legitimate items, 
O for 'open to debate'
? for BHOs of unknown status.
Fix the Items with an X next to them. If they are not found then google can be used.
Alternatively, HJTHotkey or can search for a CLSID or file name by selecting it in the log an pressing Alt + B and/or Ctrl+B

sorry,i dont speek english good 

PS:nice forum 
PSS: @johnb35 is right ,try to run combofix


----------



## Respital

magna86 said:


> wt..?
> 
> *O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)*
> O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
> O2 - BHO: IESiteBlocker.NavFilter - {1AB6932F-92FE-42E6-870C-544AE458EA78} - C:\Windows\system32\nvf.dll
> O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
> O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
> O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
> *O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)*
> 
> unnecessary entry, and file is missing -that can be fixed!
> 
> btw...
> 
> To see if these items are malware, they can be looked up at the following website-
> http://computercops.biz/CLSID.html
> egzemple...
> Copy the CLSID (e.g. {1AB6932F-92FE-42E6-870C-544AE458EA78})
> or file name e.g. nvf.dll into the search box on the above site and click "Search".
> If the BHO name is found then you will notice a letter in the status column of the line. This letter will be one of the following-
> X for certified spyware/foistware, or other malware,
> L for legitimate items,
> O for 'open to debate'
> ? for BHOs of unknown status.
> Fix the Items with an X next to them. If they are not found then google can be used.
> Alternatively, HJTHotkey or can search for a CLSID or file name by selecting it in the log an pressing Alt + B and/or Ctrl+B
> 
> sorry,i dont speek english good
> 
> PS:nice forum
> PSS: @johnb35 is right ,try to run combofix



First of all, this user is already being helped. By *GameMaster*.
Second of all, most of the entires you listed are essential for the programs the user is using.
Thirdly, please do not tell the user to do something when they are already being helped and when you obviously have no experience with security. 
Fourthly, though you did find a SmitFraud infection all of the other entires didn't need to be listed.
Fifthly, even if you didn't list the entires to be fixed the or really any user could have mistaken them as entires which needed to be fixed *(which they do not)* and could have caused system instability.
Sorry to be so harsh but, thats all true. 

<Sorry for the minor hijacking>


----------



## G25r8cer

Fixing BHO's is not recommended


----------



## SAD_DC

so what programs should I download now?


----------



## Buzz1927

g25racer said:


> Fixing BHO's is not recommended


Why is that,then? And I expect a reasoned responce.


----------



## johnb35

SAD_DC said:


> so what programs should I download now?



Have you ran combofix yet?  or superantispyware or malwarebytes antimalware.


----------



## magna86

> First of all, this user is already being helped.
> By GameMaster.



i know thet and i respect thet 
sorry for interrupt  



> Second of all, most of the entires you listed are essential for the programs the user is using



i know! 04-loading programs on startup... this is RBOT-AUU WORM and NASTY...
they are infected entry!
if you dont beleve me...
windowsstartup.com 
sysinfo.org
http://computercops.biz/StartupList.html
google 

i recomendet to fix this entry ..(if user wish to fix)
if user wish to dont have problems



> Thirdly, please do not tell the user to do something when they are already being helped
> and when you obviously have no experience with security



?? 	nonsensical  ... no comment




> Fifthly, even if you didn't list the entires to be fixed
> the or really any user could have mistaken them as entires which needed to be fixed



nonsensical .. then he must be cautious



> Sorry to be so harsh



you dont had to be so harsh ..but ok...
 i don't get you i dont told you eniting why you comment..?
*i dont know to speek good englesh *so that I can not coment with you..
i em not mad od you...

you have had your say
do whetever you want
*I will no more disturb you, dont worry*
no more offtopic by me 
pozdrav iz srbije


----------



## GameMaster

Haha...Srbin je...

Anyway,@*SAD_DC*. I'm sorry it took me long to answer. So:

Fixing the HijackThis entries somehow didn't work. But why didn't you uninstall Viewpoint? Please read PC Hell's How to uninstall Viewpoint=. I don't want to see it in the next log 

Let's use Avenger again.

1. Please *download* *The Avenger* by Swandog46 to your *Desktop*.
[*]Right click on the Avenger.zip folder and select "Extract All..."
[*]Follow the prompts and extract the avenger folder to your Desktop

2. Copy all the text contained in the Quote box below to your Clipboard by highlighting it and pressing (*Ctrl+C*):



> Files to delete:
> C:\Windows\system32\wupdates.exe
> C:\Windows\system32\awtRkLCR.dll
> C:\Users\AMINEL~1\AppData\Local\Temp\mlJAqnMC.dll
> O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\AMINEL~1\AppData\Local\Temp\xxyyxuvU.dll
> C:\Users\AMINEL~1\AppData\Local\Temp\ojasynkf .dll
> C:\Users\AMINEL~1\AppData\Local\Temp\ihbslpds .dll


_*
Note: the above code was created specifically for this user.  If you are not this user, do NOT follow these directions as they could damage the workings of your system.*_

3. Now, open The Avenger folder and *start The Avenger program* by clicking on its icon.
 Right click on the window under *Input script here:*, and select Paste.
You can also Paste the text copied to the clipboard into this window by pressing (*Ctrl+V*).
 Click on *Execute*
 Answer "*Yes*" twice when prompted.
4. *The Avenger will automatically do the following*:
It will *Restart your computer*. ( In cases where the code to execute contains "*Drivers to Delete*", The Avenger will actually *restart your system twice.*)
On reboot, it will briefly *open a black command window* on your desktop, this is normal.
After the restart, it *creates a log file* that should open with the results of Avenger’s actions.  This log file will be located at  *C:\avenger.txt*
 The Avenger will also have *backed up all the files, etc., that you asked it to delete*, and will have zipped them and moved the zip archives to *C:\avenger\backup.zip*.
5. Please *copy/paste* the content of *c:\avenger.txt* into your reply *along with a fresh HJT log *  by using *Add/Reply*


----------



## SAD_DC

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error:  file "C:\Windows\system32\wupdates.exe" not found!
Deletion of file "C:\Windows\system32\wupdates.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\Windows\system32\awtRkLCR.dll" not found!
Deletion of file "C:\Windows\system32\awtRkLCR.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\Users\AMINEL~1\AppData\Local\Temp\mlJAqnMC.dll" not found!
Deletion of file "C:\Users\AMINEL~1\AppData\Local\Temp\mlJAqnMC.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  could not open file "O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\AMINEL~1\AppData\Local\Temp\xxyyxuvU.dll"
Deletion of file "O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\AMINEL~1\AppData\Local\Temp\xxyyxuvU.dll" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
  --> bad path / the parent directory does not exist


Error:  file "C:\Users\AMINEL~1\AppData\Local\Temp\ojasynkf .dll" not found!
Deletion of file "C:\Users\AMINEL~1\AppData\Local\Temp\ojasynkf .dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\Users\AMINEL~1\AppData\Local\Temp\ihbslpds .dll" not found!
Deletion of file "C:\Users\AMINEL~1\AppData\Local\Temp\ihbslpds .dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Completed script processing.

*******************

Finished!  Terminate.



Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows Vista

*******************

Error:  Script file not found!
Could not open script file!  Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist

Abort!


yup and the damn viewpoint is still there. wtf.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:11:07, on 7/15/2008
Platform: Windows Vista  (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Windows\soundman.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\ScanSoft\OmniPageSE4\OpWareSE4.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\wermgr.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IESiteBlocker.NavFilter  - {1AB6932F-92FE-42E6-870C-544AE458EA78} - C:\Windows\system32\nvf.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Microsoft Corp Updates] wupdates.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Windows\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\awtRkLCR.dll,#1
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\RunServices: [Microsoft Corp Updates] wupdates.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\AMINEL~1\AppData\Local\Temp\mlJAqnMC.dll,#1
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\AMINEL~1\AppData\Local\Temp\xxyyxuvU.dll,c
O4 - HKCU\..\Run: [BMf76466eb] Rundll32.exe "C:\Users\AMINEL~1\AppData\Local\Temp\ojasynkf.dll",s
O4 - HKCU\..\Run: [f4575577] rundll32.exe "C:\Users\AMINEL~1\AppData\Local\Temp\ihbslpds.dll",b
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix: 
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10145 bytes


----------



## dannaswolcott

http://housecall65.trendmicro.com/

free virus scan, might help


----------



## Custompcrepair

SAD_DC said:


> so what programs should I download now?




I have Ad-Aware 2008, Spybot S&D, CCleaner, Avast! Home Edition and ZoneAlarm firewall on my pc and it works good.

I would download Avast and run a bootable scan and then one once ur booted up.

Click here for Avast!

FileHippo is a great website that I use to download alot of my programs.
Use it to download Ad-Aware, Spybot, CCleaner and more.


----------



## GameMaster

Hi, I think you misunderstood me. I need to see the fresh HijackThis log ( run another scan with it and post the NEW log ). We ran Avenger for nothing now


----------



## SAD_DC

that was fresh. heres another. I just took ran hjt again.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:11:07, on 7/15/2008
Platform: Windows Vista  (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Windows\soundman.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\ScanSoft\OmniPageSE4\OpWareSE4.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\wermgr.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IESiteBlocker.NavFilter  - {1AB6932F-92FE-42E6-870C-544AE458EA78} - C:\Windows\system32\nvf.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Microsoft Corp Updates] wupdates.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Windows\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\awtRkLCR.dll,#1
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\RunServices: [Microsoft Corp Updates] wupdates.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\AMINEL~1\AppData\Local\Temp\mlJAqnMC.dll,#1
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\AMINEL~1\AppData\Local\Temp\xxyyxuvU.dll,c
O4 - HKCU\..\Run: [BMf76466eb] Rundll32.exe "C:\Users\AMINEL~1\AppData\Local\Temp\ojasynkf.dll",s
O4 - HKCU\..\Run: [f4575577] rundll32.exe "C:\Users\AMINEL~1\AppData\Local\Temp\ihbslpds.dll",b
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix: 
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10145 bytes


----------



## johnb35

You are still infected with these items......

O4 - HKLM\..\Run: [Microsoft Corp Updates] wupdates.exe
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\awtRkLCR.dll,#1
O4 - HKLM\..\RunServices: [Microsoft Corp Updates] wupdates.exe
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\AMINEL~1\AppData\Local\Temp\mlJAqnMC.dll, #1
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\AMINEL~1\AppData\Local\Temp\xxyyxuvU.dll, c
O4 - HKCU\..\Run: [BMf76466eb] Rundll32.exe "C:\Users\AMINEL~1\AppData\Local\Temp\ojasynkf.dll ",s
O4 - HKCU\..\Run: [f4575577] rundll32.exe "C:\Users\AMINEL~1\AppData\Local\Temp\ihbslpds.dll ",b

You still have viewpoint software installed. You need to get rid of it via add/remove programs.

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

If you haven't already done so try running malwarebytes antimalware and/or superantispyware.


----------



## Respital

johnb35 said:


> You are still infected with these items......
> 
> O4 - HKLM\..\Run: [Microsoft Corp Updates] wupdates.exe
> O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\awtRkLCR.dll,#1
> O4 - HKLM\..\RunServices: [Microsoft Corp Updates] wupdates.exe
> O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\AMINEL~1\AppData\Local\Temp\mlJAqnMC.dll, #1
> O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\AMINEL~1\AppData\Local\Temp\xxyyxuvU.dll, c
> O4 - HKCU\..\Run: [BMf76466eb] Rundll32.exe "C:\Users\AMINEL~1\AppData\Local\Temp\ojasynkf.dll ",s
> O4 - HKCU\..\Run: [f4575577] rundll32.exe "C:\Users\AMINEL~1\AppData\Local\Temp\ihbslpds.dll ",b
> 
> You still have viewpoint software installed. You need to get rid of it via add/remove programs.
> 
> O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
> 
> If you haven't already done so try running malwarebytes antimalware and/or superantispyware.



Yup, defiantly still infected.
Here are some more detailed instructions for malwarebytes antimalware. 


*How to run a scan with Malwarebytes' Anti-Malware*

Download Malwarebytes' Anti-Malware from *Here* or *Here*

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to *Update Malwarebytes' Anti-Malware* and *Launch Malwarebytes' Anti-Malware*, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "*Perform Quick Scan*", then click *Scan*.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that *everything is checked*, and click *Remove Selected*.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
_If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately._


----------



## TFT

Bloody hell guys  I know you all want to help and can see the problem but even me with my limited knowledge on "infectious diseases" know that someone has to steer the boat. The poor OP has got advice coming from every direction, he needs to follow one "experts" advice only even if it does take a bit longer. From the little I know of this subject he should be following a set path to eradicate the infection he has, not run this, run that, delete this then that. Peace 

He's probably gone to lie down with an Aspirin now.


----------



## GameMaster

PLEASE. I agree with TFT lol.

*SAD_DC*. Look at the scan header:


> Logfile of Trend Micro HijackThis v2.0.2
> Scan saved at *01:11:07, on 7/15/2008*



YOU ARE POSTING THE SAME SCAN MULTIPLE TIMES.
I don't know why's that but you surely can't  be infected anymore.

In the next HijackThis log I won't be able to see all those 04 and Viewpoint Service.

Since you obviously can't find the new log, post the one that respital suggested in his previous post.


*
Respital*, no, I don't agree with your statement that the OP is still infected.


----------

