Jump to content

Help - Hijacked - XP Internet Security 2010


Recommended Posts

Hi Guys,

I'm hoping someone can help, I cannot run MBAM. I have somthing similiar to the Total Security/AV360 thing mentioned in the pinned posts in this forum, but it calls itself XP Internet Security 2010. Please see my log attached as a txt file, also copied and pasted below as I wasn't sure which way I should do this.

Hope you can help..

Regards... Kevin

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 17:27:13, on 07/03/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\sm56hlpr.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe

C:\Program Files\Kontiki\KHost.exe

C:\Program Files\Kontiki\KService.exe

C:\Downloaded Programs\iTUNES\iTunesHelper.exe

C:\Program Files\QuickTime\QTTask.exe

C:\WINDOWS\system32\igfxtray.exe

C:\Program Files\Norton Internet Security\Engine\17.1.0.19\ccSvcHst.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe

C:\WINDOWS\system32\o2flash.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe

C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe

C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe

C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exe

C:\Documents and Settings\Nat\Local Settings\Application Data\av.exe

C:\Downloaded Programs\Hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.ask.com?o=15153&l=dis

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)

O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\17.0.0.136\coIEPlg.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\17.0.0.136\IPSBHO.DLL

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\17.0.0.136\coIEPlg.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe

O4 - HKLM\..\Run: [sMSERIAL] sm56hlpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [AOL_Demo] C:\Applications\Tool\AOL Demo\DSGDemo.exe

O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe

O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Downloaded Programs\iTUNES\iTunesHelper.exe"

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [sKDaemon.exe] C:\Program Files\Lenovo\Productivity Keyboard\SKDaemon.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe" /NoDialog

O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray

O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Nat\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - .DEFAULT User Startup: Philips Media Manager.lnk = C:\Program Files\Philips\Media Manager\Philips Media Manager.exe (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: BlueSoleil.lnk = ?

O4 - Global Startup: FreeventsSchedule.lnk = C:\Freevents\FreeventsSchedule.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?c57707d8ec014af8a9260e0c7ab3b951

O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?c57707d8ec014af8a9260e0c7ab3b951

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.pcservicecall.co.uk

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://www.tescophoto.com/wpp/tesco/app/ImageUploader5.cab

O16 - DPF: {B015B944-7316-49AE-AC84-ACCA9379EA32} (IPCamPlugIn Control) - http://artisancam.dyndns.org/IPCamPluginMJPEG.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O23 - Service: 1173065773 (.1173065773) - Unknown owner - C:\Program Files\1173065773\Nat1173065773L.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe

O23 - Service: Norton Internet Security (NIS) - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\17.1.0.19\ccSvcHst.exe

O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--

End of file - 11850 bytes

hijackthis_one.txt

Link to post
Share on other sites

Hi kevinboo,

Welcome to the forum.

My nickname is deltalima and I will be helping you with your computer problems.

The logs can take some time to research, so please be patient with me.

Please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • If after 3 days you have not responded to this topic, it will be closed, and you will need to start a new one.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

Uninstall List

  • Open HijackThis.
  • Look under System tools.
  • Click on the Open Uninstall Manager... button.
  • Click on the Save list... button.
  • It will prompt you to save. Save this log in a convenient location. By default it's named uninstall_list.txt.
  • Notepad will open. Please copy and paste the contents of this log in your next reply.

Link to post
Share on other sites

Hi kevinboo,

Download and run OTL

Download OTL by Old Timer and save it to your Desktop.

  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized

    [*]Please post the contents of these 2 Notepad files in your next reply.

Please download GMER Rootkit Scanner from here.

  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE

Important! Please do not select the "Show all" checkbox during the scan..

Please post the GMER log along with OTL.txt and Extras.txt from the OTL scan into your next reply.

Link to post
Share on other sites

Hi kevinboo,

Download and run OTL

Download OTL by Old Timer and save it to your Desktop.

  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized

    [*]Please post the contents of these 2 Notepad files in your next reply.

Please download GMER Rootkit Scanner from here.

  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE

Important! Please do not select the "Show all" checkbox during the scan..

Please post the GMER log along with OTL.txt and Extras.txt from the OTL scan into your next reply.

Hi Delta,

This is a reply to your first post, below find pasted my uninstall manager log..

4oD

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe Reader 7.1.0

Apple Mobile Device Support

Apple Software Update

BBC iPlayer Download Manager

BlueSoleil

Bonjour

Citrix Presentation Server Client

Critical Update for Windows Media Player 11 (KB959772)

DivX

DivX Converter

DivX Converter

DivX Player

DivX Plus Web Player

Google Toolbar for Internet Explorer

Google Toolbar for Internet Explorer

Google Update Helper

Google Updater

High Definition Audio Driver Package - KB888111

HijackThis 2.0.2

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Player 10 (KB903157)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB970653-v3)

Hotfix for Windows XP (KB976098-v2)

Hotfix for Windows XP (KB979306)

hp deskjet 3420 series (Remove only)

Intel® Graphics Media Accelerator Driver

Intel® Matrix Storage Manager

Intel® PROSet/Wireless Software

iTunes

J2SE Runtime Environment 5.0 Update 10

J2SE Runtime Environment 5.0 Update 3

Java 6 Update 14

Java 6 Update 2

Java 6 Update 5

Java SE Runtime Environment 6 Update 1

Malwarebytes' Anti-Malware

Map Button (Windows Live Toolbar)

mCore

mDriver

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB953297)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft .NET Framework 3.5 SP1

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Office 2000 Professional

Microsoft Silverlight

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Works

mMHouse

Motorola SM56 Data Fax Modem

Mozilla Firefox (3.0.18)

Mp3tag v2.45a

mPfMgr

mProSafe

MSVC80_x86

MSXML 4.0 SP2 (KB925672)

MSXML 4.0 SP2 (KB927978)

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MSXML 6 Service Pack 2 (KB973686)

mWlsSafe

mXML

Nokia Connectivity Cable Driver

Nokia PC Suite

Nokia PC Suite

O2Micro Flash Memory Card Windows Driver V1.9

OCA Client history tool install

OneCare Advisor (Windows Live Toolbar)

PC Connectivity Solution

Popup Blocker (Windows Live Toolbar)

QuickTime

REALTEK GbE & FE Ethernet NIC Driver

Realtek High Definition Audio Driver

RegCure 1.5.0.1

Security Update for CAPICOM (KB931906)

Security Update for CAPICOM (KB931906)

Security Update for Step By Step Interactive Training (KB898458)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player 10 (KB911565)

Security Update for Windows Media Player 10 (KB917734)

Security Update for Windows Media Player 10 (KB936782)

Security Update for Windows Media Player 11 (KB936782)

Security Update for Windows Media Player 11 (KB954154)

Security Update for Windows XP (KB913433)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950759)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB953838)

Security Update for Windows XP (KB953839)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956390)

Security Update for Windows XP (KB956391)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB957095)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958215)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958690)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960714)

Security Update for Windows XP (KB960715)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961371)

Security Update for Windows XP (KB961373)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB963027)

Security Update for Windows XP (KB968537)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB969897)

Security Update for Windows XP (KB969898)

Security Update for Windows XP (KB969947)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971486)

Security Update for Windows XP (KB971557)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB971961)

Security Update for Windows XP (KB972260)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973346)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973525)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974455)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB976325)

Security Update for Windows XP (KB977165)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978251)

Security Update for Windows XP (KB978262)

Security Update for Windows XP (KB978706)

Smart Menus (Windows Live Toolbar)

SPSS 15.0 for Windows

Symantec KB-DocID:2003093015493306

Tabbed Browsing (Windows Live Toolbar)

ThinkPad UltraNav Driver

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Windows Media Player 10 (KB910393)

Update for Windows Media Player 10 (KB913800)

Update for Windows Media Player 10 (KB926251)

Update for Windows XP (KB951072-v2)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB955839)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

Update for Windows XP (KB976749)

Update for Windows XP (KB978207)

Update Rollup 2 for Windows XP Media Center Edition 2005

USB Enhanced Performance Keyboard Software

VC80CRTRedist - 8.0.50727.4053

Windows Driver Package - Nokia Modem (05/22/2008 3.8)

Windows Driver Package - Nokia Modem (05/22/2008 7.00.0.1)

Windows Driver Package - Nokia pccsmcfd (10/12/2007 6.85.4.0)

Windows Easy Transfer

Windows Imaging Component

Windows Installer 3.1 (KB893803)

Windows Live Favorites for Windows Live Toolbar

Windows Live Messenger

Windows Live Outlook Toolbar (Windows Live Toolbar)

Windows Live Sign-in Assistant

Windows Live Toolbar

Windows Live Toolbar

Windows Live Toolbar Extension (Windows Live Toolbar)

Windows Live Toolbar Feed Detector (Windows Live Toolbar)

Windows Media Format 11 runtime

Windows Media Format 11 runtime

Windows Media Player 11

Windows Media Player 11

Windows XP Media Center Edition 2005 KB908246

Windows XP Media Center Edition 2005 KB911061

Windows XP Media Center Edition 2005 KB925766

Windows XP Media Center Edition 2005 KB973768

Windows XP Service Pack 3

WinZip 14.0

XP Codec Pack

Link to post
Share on other sites

Hi Delta,

This is a reply to your first post, below find pasted my uninstall manager log..

4oD

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe Reader 7.1.0

Apple Mobile Device Support

Apple Software Update

BBC iPlayer Download Manager

BlueSoleil

Bonjour

Citrix Presentation Server Client

Critical Update for Windows Media Player 11 (KB959772)

DivX

DivX Converter

DivX Converter

DivX Player

DivX Plus Web Player

Google Toolbar for Internet Explorer

Google Toolbar for Internet Explorer

Google Update Helper

Google Updater

High Definition Audio Driver Package - KB888111

HijackThis 2.0.2

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Player 10 (KB903157)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB970653-v3)

Hotfix for Windows XP (KB976098-v2)

Hotfix for Windows XP (KB979306)

hp deskjet 3420 series (Remove only)

Intel

Link to post
Share on other sites

Hi kevinboo,

Download and run OTL

Download OTL by Old Timer and save it to your Desktop.

  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized

    [*]Please post the contents of these 2 Notepad files in your next reply.

Please download GMER Rootkit Scanner from here.

  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE

Important! Please do not select the "Show all" checkbox during the scan..

Please post the GMER log along with OTL.txt and Extras.txt from the OTL scan into your next reply.

Hello Delta,

Here is my gmer.txt...

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-03-08 21:13:33

Windows 5.1.2600 Service Pack 3

Running: 9kpoqbu7.exe; Driver: C:\DOCUME~1\Nat\LOCALS~1\Temp\uwtdqpod.sys

---- System - GMER 1.0.15 ----

SSDT 8572B788

ZwAlertResumeThread

SSDT 864C2A68

ZwAlertThread

SSDT 85713518

ZwAllocateVirtualMemory

SSDT 856B2A10

ZwAssignProcessToJobObject

SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey

[0xA802F210]

SSDT 866545F0

ZwCreateMutant

SSDT 86541F38

ZwCreateSymbolicLinkObject

SSDT 8659C8C0

ZwCreateThread

SSDT 8571EE90

ZwDebugActiveProcess

SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey

[0xA802F490]

SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

ZwDeleteValueKey [0xA802F9F0]

SSDT 864CF1C0

ZwDuplicateObject

SSDT 864CB920

ZwFreeVirtualMemory

SSDT 857143B8

ZwImpersonateAnonymousToken

SSDT 85714458

ZwImpersonateThread

SSDT 85717D00

ZwLoadDriver

SSDT 857040E0

ZwMapViewOfSection

SSDT 856C5F90 ZwOpenEvent

SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwOpenKey

[0xA802F7A0]

SSDT 85756948

ZwOpenProcess

SSDT 864CD1D0

ZwOpenProcessToken

SSDT 85717DE0

ZwOpenSection

SSDT 8563E9A8

ZwOpenThread

SSDT 856B2940

ZwProtectVirtualMemory

SSDT 864ED780

ZwResumeThread

SSDT 85732B28

ZwSetContextThread

SSDT 85768050

ZwSetInformationProcess

SSDT 8571EF70

ZwSetSystemInformation

SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

ZwSetValueKey [0xA802FC40]

SSDT 856C5ED0

ZwSuspendProcess

SSDT 864B7D98

ZwSuspendThread

SSDT 864E2488

ZwTerminateProcess

SSDT 864B7E78

ZwTerminateThread

SSDT 85768008

ZwUnmapViewOfSection

SSDT 8563E800

ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2DD0 8050466C 4

Bytes JMP 579ECBD4

.text ntkrnlpa.exe!ZwCallbackReturn + 3024 805048C0 4

Bytes CALL CB44CE28

? SYMDS.SYS The system

cannot find the file specified. !

? SYMEFA.SYS The system

cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys

(Synaptics Touchpad Driver/Synaptics, Inc.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000a3a5736d8

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000a3a5736d8@001bee40a47c 0x98 0x6B

0xF0 0x65 ...

Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\000a3a5736d8 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\000a3a5736d8@001bee40a47c 0x98 0x6B

0xF0 0x65 ...

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 01:

copy of MBR

Disk \Device\Harddisk0\DR0 sector 02:

copy of MBR

Disk \Device\Harddisk0\DR0 sector 03:

copy of MBR

Disk \Device\Harddisk0\DR0 sector 04:

copy of MBR

Disk \Device\Harddisk0\DR0 sector 05:

copy of MBR

Disk \Device\Harddisk0\DR0 sector 06:

copy of MBR

Disk \Device\Harddisk0\DR0 sector 07:

copy of MBR

Disk \Device\Harddisk0\DR0 sector 08:

copy of MBR

Disk \Device\Harddisk0\DR0 sector 09:

copy of MBR

Disk \Device\Harddisk0\DR0 sector 10:

copy of MBR

Disk \Device\Harddisk0\DR0 sector 11:

copy of MBR

Disk \Device\Harddisk0\DR0 sector 12:

copy of MBR

Disk \Device\Harddisk0\DR0 sector 13:

copy of MBR

Disk \Device\Harddisk0\DR0 sector 14:

copy of MBR

Disk \Device\Harddisk0\DR0 sector 15:

copy of MBR

Disk \Device\Harddisk0\DR0 sector 16:

copy of MBR

Disk \Device\Harddisk0\DR0 sector 17:

copy of MBR

Disk \Device\Harddisk0\DR0 sector 18:

copy of MBR

Disk \Device\Harddisk0\DR0 sector 19:

copy of MBR

Disk \Device\Harddisk0\DR0 sector 20:

copy of MBR

Disk \Device\Harddisk0\DR0 sector 21:

copy of MBR

Disk \Device\Harddisk0\DR0 sector 22:

copy of MBR

Disk \Device\Harddisk0\DR0 sector 23:

copy of MBR

Disk \Device\Harddisk0\DR0 sector 24:

copy of MBR

Disk \Device\Harddisk0\DR0 sector 25:

copy of MBR

Disk \Device\Harddisk0\DR0 sector 26:

copy of MBR

Disk \Device\Harddisk0\DR0 sector 27:

copy of MBR

Disk \Device\Harddisk0\DR0 sector 28:

copy of MBR

Disk \Device\Harddisk0\DR0 sector 29:

copy of MBR

Disk \Device\Harddisk0\DR0 sector 30:

copy of MBR

Disk \Device\Harddisk0\DR0 sector 31:

copy of MBR

Disk \Device\Harddisk0\DR0 sector 32:

copy of MBR

Disk \Device\Harddisk0\DR0 sector 33:

copy of MBR

Disk \Device\Harddisk0\DR0 sector 34:

copy of MBR

Disk \Device\Harddisk0\DR0 sector 35:

copy of MBR

Disk \Device\Harddisk0\DR0 sector 36:

copy of MBR

Disk \Device\Harddisk0\DR0 sector 37:

copy of MBR

Disk \Device\Harddisk0\DR0 sector 38:

copy of MBR

Disk \Device\Harddisk0\DR0 sector 39:

copy of MBR

Disk \Device\Harddisk0\DR0 sector 40:

copy of MBR

Disk \Device\Harddisk0\DR0 sector 41:

copy of MBR

Disk \Device\Harddisk0\DR0 sector 42:

copy of MBR

Disk \Device\Harddisk0\DR0 sector 43:

copy of MBR

Disk \Device\Harddisk0\DR0 sector 44:

copy of MBR

Disk \Device\Harddisk0\DR0 sector 45:

copy of MBR

Disk \Device\Harddisk0\DR0 sector 46:

copy of MBR

Disk \Device\Harddisk0\DR0 sector 47:

copy of MBR

Disk \Device\Harddisk0\DR0 sector 48:

copy of MBR

Disk \Device\Harddisk0\DR0 sector 49:

copy of MBR

Disk \Device\Harddisk0\DR0 sector 50:

copy of MBR

Disk \Device\Harddisk0\DR0 sector 51:

copy of MBR

Disk \Device\Harddisk0\DR0 sector 52:

copy of MBR

Disk \Device\Harddisk0\DR0 sector 53:

copy of MBR

Disk \Device\Harddisk0\DR0 sector 54:

copy of MBR

Disk \Device\Harddisk0\DR0 sector 55:

copy of MBR

Disk \Device\Harddisk0\DR0 sector 56:

copy of MBR

Disk \Device\Harddisk0\DR0 sector 57:

copy of MBR

Disk \Device\Harddisk0\DR0 sector 58:

copy of MBR

Disk \Device\Harddisk0\DR0 sector 59:

copy of MBR

Disk \Device\Harddisk0\DR0 sector 60:

copy of MBR

Disk \Device\Harddisk0\DR0 sector 61:

copy of MBR

Disk \Device\Harddisk0\DR0 sector 62:

rootkit-like behavior; copy of MBR

Disk \Device\Harddisk0\DR0 sector 63:

rootkit-like behavior; copy of MBR

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

Hi kevinboo,

Rkill

Please download Rkill from one of the following links and save to your Desktop:

One, Two,Three or Four

  • Double click on Rkill.
  • A command window will open then disappear upon completion, this is normal.
  • A notepad windows will open, please post the contents in your next reply
  • This log can also be found at C:\rkill.log
  • Please leave Rkill on the Desktop until otherwise advised.

Note: If your security software warns about Rkill, please ignore and allow the download to continue.

Malwarebytes Anti-Malware

  • Run Malwarebytes Anti-Malware
  • Once the program has loaded, update and then select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please post that log in your next reply.

The log can also be found here:

  1. Launch Malwarebytes' Anti-Malware
  2. Click on the Logs radio tab.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Rooter

Please download Rooter.exe... Copyrighted

Link to post
Share on other sites

Hi kevinboo,

Rkill

Please download Rkill from one of the following links and save to your Desktop:

One, Two,Three or Four

  • Double click on Rkill.
  • A command window will open then disappear upon completion, this is normal.
  • A notepad windows will open, please post the contents in your next reply
  • This log can also be found at C:\rkill.log
  • Please leave Rkill on the Desktop until otherwise advised.

Note: If your security software warns about Rkill, please ignore and allow the download to continue.

Malwarebytes Anti-Malware

  • Run Malwarebytes Anti-Malware
  • Once the program has loaded, update and then select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please post that log in your next reply.

The log can also be found here:

  1. Launch Malwarebytes' Anti-Malware
  2. Click on the Logs radio tab.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Rooter

Please download Rooter.exe... Copyrighted

Link to post
Share on other sites

Hi kevinboo,

Check MBR

  • Download the file MBR.exe and save it to the desktop
  • Open Notepad.
  • Copy/paste the following text into the empty Notepad window.
    @echo off
    "%userprofile%\desktop\mbr.exe"
    start notepad mbr.log


  • Save the file as mbrfix.bat on your desktop. Save it with the file type... all types *.*.
  • Double click the file mbrfix.bat to execute.
  • Post the contents of mbr.log in your next reply

Link to post
Share on other sites

Hi kevinboo,

Check MBR

  • Download the file MBR.exe and save it to the desktop
  • Open Notepad.
  • Copy/paste the following text into the empty Notepad window.
    @echo off
    "%userprofile%\desktop\mbr.exe"
    start notepad mbr.log


  • Save the file as mbrfix.bat on your desktop. Save it with the file type... all types *.*.
  • Double click the file mbrfix.bat to execute.
  • Post the contents of mbr.log in your next reply

Hi Delta,

Here's my MBR...

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

kernel: MBR read successfully

user & kernel MBR OK

Link to post
Share on other sites

Hi kevinboo,

Upload a File to Virustotal

Please go to Virustotal

Copy/paste this file and path into the white box at the top:

Press Submit - this will submit the file for testing.

Please wait for all the scanners to finish then copy and paste the results in your next response.

<table border="1"><tr><td colspan="4">File Usu__rio1263816420L.exe received on 2010.02.25 14:45:15 (UTC)</td></tr><tr><td>Antivirus</td><td>Version</td><td>Last Update</td><td>Result</td</tr><tr><td>a-squared</td><td>4.5.0.50</td><td>2010.02.25</td><td style="color: red;">Downloader.Kiser!IK</td</tr><tr><td>AhnLab-V3</td><td>5.0.0.2</td><td>2010.02.25</td><td>-</td</tr><tr><td>AntiVir</td><td>8.2.1.172</td><td>2010.02.25</td><td style="color: red;">DR/Kiser.FB</td</tr><tr><td>Antiy-AVL</td><td>2.0.3.7</td><td>2010.02.25</td><td>-</td</tr><tr><td>Authentium</td><td>5.2.0.5</td><td>2010.02.25</td><td>-</td</tr><tr><td>Avast</td><td>4.8.1351.0</td><td>2010.02.24</td><td>-</td</tr><tr><td>AVG</td><td>9.0.0.730</td><td>2010.02.25</td><td>-</td</tr><tr><td>BitDefender</td><td>7.2</td><td>2010.02.25</td><td>-</td</tr><tr><td>CAT-QuickHeal</td><td>10.00</td><td>2010.02.25</td><td>-</td</tr><tr><td>ClamAV</td><td>0.96.0.0-git</td><td>2010.02.25</td><td style="color: red;">PUA.Script.Packed-3</td</tr><tr><td>Comodo</td><td>4060</td><td>2010.02.25</td><td style="color: red;">UnclassifiedMalware</td</tr><tr><td>DrWeb</td><td>5.0.1.12222</td><td>2010.02.25</td><td>-</td</tr><tr><td>eSafe</td><td>7.0.17.0</td><td>2010.02.24</td><td>-</td</tr><tr><td>eTrust-Vet</td><td>35.2.7328</td><td>2010.02.25</td><td style="color: red;">Win32/Orsam.J</td</tr><tr><td>F-Prot</td><td>4.5.1.85</td><td>2010.02.25</td><td>-</td</tr><tr><td>F-Secure</td><td>9.0.15370.0</td><td>2010.02.25</td><td style="color: red;">Suspicious:W32/Malware!Gemini</td</tr><tr><td>Fortinet</td><td>4.0.14.0</td><td>2010.02.25</td><td style="color: red;">W32/Autorun.ZF!worm</td</tr><tr><td>GData</td><td>19</td><td>2010.02.25</td><td>-</td</tr><tr><td>Ikarus</td><td>T3.1.1.80.0</td><td>2010.02.25</td><td style="color: red;">Downloader.Kiser</td</tr><tr><td>Jiangmin</td><td>13.0.900</td><td>2010.02.25</td><td>-</td</tr><tr><td>K7AntiVirus</td><td>7.10.981</td><td>2010.02.23</td><td>-</td</tr><tr><td>Kaspersky</td><td>7.0.0.125</td><td>2010.02.25</td><td>-</td</tr><tr><td>McAfee</td><td>5902</td><td>2010.02.24</td><td style="color: red;">W32/Autorun.worm.zf.gen</td</tr><tr><td>McAfee+Artemis</td><td>5902</td><td>2010.02.24</td><td style="color: red;">Artemis!84CB8691AA81</td</tr><tr><td>McAfee-GW-Edition</td><td>6.8.5</td><td>2010.02.25</td><td>-</td</tr><tr><td>Microsoft</td><td>1.5502</td><td>2010.02.25</td><td>-</td</tr><tr><td>NOD32</td><td>4895</td><td>2010.02.25</td><td>-</td</tr><tr><td>Norman</td><td>6.04.08</td><td>2010.02.25</td><td style="color: red;">AutoRun.AGUK</td</tr><tr><td>nProtect</td><td>2009.1.8.0</td><td>2010.02.25</td><td>-</td</tr><tr><td>Panda</td><td>10.0.2.2</td><td>2010.02.24</td><td style="color: red;">Trj/CI.A</td</tr><tr><td>PCTools</td><td>7.0.3.5</td><td>2010.02.25</td><td>-</td</tr><tr><td>Prevx</td><td>3.0</td><td>2010.02.25</td><td style="color: red;">High Risk Worm</td</tr><tr><td>Rising</td><td>22.34.01.03</td><td>2010.02.11</td><td style="color: red;">AdWare.Win32.Autoit.x</td</tr><tr><td>Sophos</td><td>4.50.0</td><td>2010.02.25</td><td style="color: red;">Mal/Generic-A</td</tr><tr><td>Sunbelt</td><td>5698</td><td>2010.02.25</td><td>-</td</tr><tr><td>Symantec</td><td>20091.2.0.41</td><td>2010.02.25</td><td>-</td</tr><tr><td>TheHacker</td><td>6.5.1.6.210</td><td>2010.02.25</td><td>-</td</tr><tr><td>TrendMicro</td><td>9.120.0.1004</td><td>2010.02.25</td><td>-</td</tr><tr><td>VBA32</td><td>3.12.12.2</td><td>2010.02.25</td><td style="color: red;">Trojan.Autoit.F</td</tr><tr><td>ViRobot</td><td>2010.2.25.2202</td><td>2010.02.25</td><td>-</td</tr><tr><td>VirusBuster</td><td>5.0.27.0</td><td>2010.02.24</td><td>-</td</tr><tr><td colspan="4"> </td></tr><tr><td colspan="4">Additional information</td></tr><tr><td colspan="4">File size: 423016 bytes</td></tr><tr><td colspan="4">MD5   : 84cb8691aa81b9c39d5b0de8f280170b</td></tr><tr><td colspan="4">SHA1  : 9de7715b0112bdce5bfdd17895ee8209f1b789c7</td></tr><tr><td colspan="4">SHA256: 3651f87f9a5d6c41ee8c80ac9ac6c57b0b6d0ca3d3552aebcca90ec6fdeafd63</td></tr><tr><td colspan="4">PEInfo: PE Structure information<br> <br> ( base data )<br> entrypointaddress.: 0xAF1E0<br> timedatestamp.....: 0x4951FA17 (Wed Dec 24 10:00:07 2008)<br> machinetype.......: 0x14C (Intel I386)<br> <br> ( 3 sections )<br> name viradd virsiz rawdsiz ntrpy md5<br> UPX0 0x1000 0x6F000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<br>UPX1 0x70000 0x40000 0x3F400 7.93 08b3eaa2b794bef186a3a4bb4377144d<br>.rsrc 0xB0000 0x8000 0x8000 4.88 ff919d5108d999ce9e2338ad5d9bbd94<br> <br> ( 16 imports )<br> <br>> advapi32.dll: AddAce<br>> comctl32.dll: ImageList_Remove<br>> comdlg32.dll: GetSaveFileNameW<br>> gdi32.dll: BitBlt<br>> kernel32.dll: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess<br>> mpr.dll: WNetGetConnectionW<br>> ole32.dll: CoInitialize<br>> oleaut32.dll: -<br>> psapi.dll: EnumProcesses<br>> shell32.dll: DragFinish<br>> user32.dll: GetDC<br>> userenv.dll: LoadUserProfileW<br>> version.dll: VerQueryValueW<br>> wininet.dll: FtpOpenFileW<br>> winmm.dll: timeGetTime<br>> wsock32.dll: -<br> <br> ( 0 exports )<br> </td></tr><tr><td colspan="4">TrID  : File type identification<br>UPX compressed Win32 Executable (43.8%)<br>Win32 EXE Yoda's Crypter (38.1%)<br>Win32 Executable Generic (12.2%)<br>Generic Win/DOS Executable (2.8%)<br>DOS Executable Generic (2.8%)</td></tr><tr><td colspan="4">ssdeep: 6144:5lZ/zUMu4pDSxsCMRzf7x3SfS1JAzXBtL76lCUuEUJYZxoXUbMA+FK:5HLUMuiv9RgfSjAzRtyRuyL0vA+M</td></tr><tr><td colspan="4">sigcheck: publisher....: n/a<br>copyright....: n/a<br>product......: n/a<br>description..: BOX _NTR2010s<br>original name: n/a<br>internal name: n/a<br>file version.: 1.4.0.0<br>comments.....: n/a<br>signers......: -<br>signing date.: -<br>verified.....: Unsigned<br></td></tr><tr><td colspan="4">Prevx Info: <a href="http://info.prevx.com/aboutprogramtext.asp?PX5=042C75EA68B0BD4174F906A3D7478800B83D9FA4" target="_blank">http://info.prevx.com/aboutprogramtext.asp?PX5=042C75EA68B0BD4174F906A3D7478800B83D9FA4</a></td></tr><tr><td colspan="4">PEiD  : -</td></tr><tr><td colspan="4">packers (Kaspersky): PE_Patch.UPX, UPX</td></tr><tr><td colspan="4">packers (F-Prot): UPX</td></tr><tr><td colspan="4">RDS   : NSRL Reference Data Set<br>-</td></tr></table>

Link to post
Share on other sites

Hi kevinboo,

Upload a File to Virustotal

Please go to Virustotal

Copy/paste this file and path into the white box at the top:

Press Submit - this will submit the file for testing.

Please wait for all the scanners to finish then copy and paste the results in your next response.

Hi here are the results:

Antivirus;Version;Last Update;Result

a-squared;4.5.0.50;2010.02.25;Downloader.Kiser!IK

AhnLab-V3;5.0.0.2;2010.02.25;-

AntiVir;8.2.1.172;2010.02.25;DR/Kiser.FB

Antiy-AVL;2.0.3.7;2010.02.25;-

Authentium;5.2.0.5;2010.02.25;-

Avast;4.8.1351.0;2010.02.24;-

AVG;9.0.0.730;2010.02.25;-

BitDefender;7.2;2010.02.25;-

CAT-QuickHeal;10.00;2010.02.25;-

ClamAV;0.96.0.0-git;2010.02.25;PUA.Script.Packed-3

Comodo;4060;2010.02.25;UnclassifiedMalware

DrWeb;5.0.1.12222;2010.02.25;-

eSafe;7.0.17.0;2010.02.24;-

eTrust-Vet;35.2.7328;2010.02.25;Win32/Orsam.J

F-Prot;4.5.1.85;2010.02.25;-

F-Secure;9.0.15370.0;2010.02.25;Suspicious:W32/Malware!Gemini

Fortinet;4.0.14.0;2010.02.25;W32/Autorun.ZF!worm

GData;19;2010.02.25;-

Ikarus;T3.1.1.80.0;2010.02.25;Downloader.Kiser

Jiangmin;13.0.900;2010.02.25;-

K7AntiVirus;7.10.981;2010.02.23;-

Kaspersky;7.0.0.125;2010.02.25;-

McAfee;5902;2010.02.24;W32/Autorun.worm.zf.gen

McAfee+Artemis;5902;2010.02.24;Artemis!84CB8691AA81

McAfee-GW-Edition;6.8.5;2010.02.25;-

Microsoft;1.5502;2010.02.25;-

NOD32;4895;2010.02.25;-

Norman;6.04.08;2010.02.25;AutoRun.AGUK

nProtect;2009.1.8.0;2010.02.25;-

Panda;10.0.2.2;2010.02.24;Trj/CI.A

PCTools;7.0.3.5;2010.02.25;-

Prevx;3.0;2010.02.25;High Risk Worm

Rising;22.34.01.03;2010.02.11;AdWare.Win32.Autoit.x

Sophos;4.50.0;2010.02.25;Mal/Generic-A

Sunbelt;5698;2010.02.25;-

Symantec;20091.2.0.41;2010.02.25;-

TheHacker;6.5.1.6.210;2010.02.25;-

TrendMicro;9.120.0.1004;2010.02.25;-

VBA32;3.12.12.2;2010.02.25;Trojan.Autoit.F

ViRobot;2010.2.25.2202;2010.02.25;-

VirusBuster;5.0.27.0;2010.02.24;-

Additional information

File size: 423016 bytes

MD5   : 84cb8691aa81b9c39d5b0de8f280170b

SHA1  : 9de7715b0112bdce5bfdd17895ee8209f1b789c7

SHA256: 3651f87f9a5d6c41ee8c80ac9ac6c57b0b6d0ca3d3552aebcca90ec6fdeafd63

PEInfo: PE Structure information<br> <br> ( base data )<br> entrypointaddress.: 0xAF1E0<br> timedatestamp.....: 0x4951FA17 (Wed Dec 24 10:00:07 2008)<br> machinetype.......: 0x14C (Intel I386)<br> <br> ( 3 sections )<br> name viradd virsiz rawdsiz ntrpy md5<br> UPX0 0x1000 0x6F000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<br>UPX1 0x70000 0x40000 0x3F400 7.93 08b3eaa2b794bef186a3a4bb4377144d<br>.rsrc 0xB0000 0x8000 0x8000 4.88 ff919d5108d999ce9e2338ad5d9bbd94<br> <br> ( 16 imports )<br> <br>> advapi32.dll: AddAce<br>> comctl32.dll: ImageList_Remove<br>> comdlg32.dll: GetSaveFileNameW<br>> gdi32.dll: BitBlt<br>> kernel32.dll: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess<br>> mpr.dll: WNetGetConnectionW<br>> ole32.dll: CoInitialize<br>> oleaut32.dll: -<br>> psapi.dll: EnumProcesses<br>> shell32.dll: DragFinish<br>> user32.dll: GetDC<br>> userenv.dll: LoadUserProfileW<br>> version.dll: VerQueryValueW<br>> wininet.dll: FtpOpenFileW<br>> winmm.dll: timeGetTime<br>> wsock32.dll: -<br> <br> ( 0 exports )<br>

TrID  : File type identification<br>UPX compressed Win32 Executable (43.8%)<br>Win32 EXE Yoda's Crypter (38.1%)<br>Win32 Executable Generic (12.2%)<br>Generic Win/DOS Executable (2.8%)<br>DOS Executable Generic (2.8%)

ssdeep: 6144:5lZ/zUMu4pDSxsCMRzf7x3SfS1JAzXBtL76lCUuEUJYZxoXUbMA+FK:5HLUMuiv9RgfSjAzRtyRuyL0vA+M

sigcheck: publisher....: n/a<br>copyright....: n/a<br>product......: n/a<br>description..: BOX _NTR2010s<br>original name: n/a<br>internal name: n/a<br>file version.: 1.4.0.0<br>comments.....: n/a<br>signers......: -<br>signing date.: -<br>verified.....: Unsigned<br>

Prevx Info: <a href="http://info.prevx.com/aboutprogramtext.asp?PX5=042C75EA68B0BD4174F906A3D7478800B83D9FA4" target="_blank">http://info.prevx.com/aboutprogramtext.asp?PX5=042C75EA68B0BD4174F906A3D7478800B83D9FA4</a>

PEiD  : -

packers (Kaspersky): PE_Patch.UPX, UPX

packers (F-Prot): UPX

RDS   : NSRL Reference Data Set<br>-

Thanks

Link to post
Share on other sites

Hi kevinboo,

Run OTL Script

  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the customFix.png textbox. Do not include the word Code
    :otl
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.ask.com?o=15153&l=dis
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    :services
    .1173065773
    :reg
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirstRunDisabled" = 0
    "UpdatesDisableNotify" = 0
    "AntiVirusOverride" = 0
    "FirewallOverride" = 0
    "AntiVirusDisableNotify" = 0
    "FirewallDisableNotify" = 0
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
    "DisableMonitoring" = 0
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "DisableNotifications" = 0
    :files
    C:\Program Files\1173065773\Nat1173065773L.exe
    :commands
    [RESETHOSTS]


  • Then click the Run Fix button at the top.
  • Click btnOK.png.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

Link to post
Share on other sites

Hi kevinboo,

Run OTL Script

  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the customFix.png textbox. Do not include the word Code
    :otl
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.ask.com?o=15153&l=dis
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    :services
    .1173065773
    :reg
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirstRunDisabled" = 0
    "UpdatesDisableNotify" = 0
    "AntiVirusOverride" = 0
    "FirewallOverride" = 0
    "AntiVirusDisableNotify" = 0
    "FirewallDisableNotify" = 0
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
    "DisableMonitoring" = 0
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "DisableNotifications" = 0
    :files
    C:\Program Files\1173065773\Nat1173065773L.exe
    :commands
    [RESETHOSTS]


  • Then click the Run Fix button at the top.
  • Click btnOK.png.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

Hi Delta,

Here is my second OTL text...

========== OTL ==========

Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\- BHO: Adobe PDF Reader Link Helper\ not found.

File {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll not found.

Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7E853D72-626A-48EC-A868-BA8D5E23E045}\ not found.

File not found.

========== SERVICES/DRIVERS ==========

Service .1173065773 stopped successfully!

Service .1173065773 deleted successfully!

========== REGISTRY ==========

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\"FirstRunDisabled" | 0 /E : value set successfully!

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\"UpdatesDisableNotify" | 0 /E : value set successfully!

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\"AntiVirusOverride" | 0 /E : value set successfully!

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\"FirewallOverride" | 0 /E : value set successfully!

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\"AntiVirusDisableNotify" | 0 /E : value set successfully!

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\"FirewallDisableNotify" | 0 /E : value set successfully!

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\\"DisableMonitoring" | 0 /E : value set successfully!

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\\"DisableNotifications" | 0 /E : value set successfully!

========== FILES ==========

C:\Program Files\1173065773\Nat1173065773L.exe moved successfully.

========== COMMANDS ==========

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.

HOSTS file reset successfully

OTL by OldTimer - Version 3.1.34.0 log created on 03122010_122418

Link to post
Share on other sites

Hi kevinboo,

Update Java Runtime

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, & also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 18.

  • Download the latest version of Java Runtime Environment (JRE) 6 Here
  • Scroll down to where it says "JDK 6 Update 18 (JDK or JRE)"
  • Click the orange Download JRE button to the right
  • Select the Windows platform from the dropdown menu
  • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh
  • Click on the link to download Windows Offline Installation & save the file to your desktop
  • Close any programs you may have running - especially your web browser
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs & remove all older versions of Java
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java 6) in the name
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions
  • Reboot your computer once all Java components are removed
  • Then from your desktop double-click on jre-6u18-windows-i586-p.exe to install the newest version

You should Download and Install the newest version of Adobe Reader for reading pdf files, due to the vulnerabilities in earlier versions.

All versions numbered lower than 9.3 are vulnerable.

  • Go HERE , UNCHECK any Free Add-Ons, and click Download to install the latest version of Adobe Acrobat Reader.
  • After it completes the Installation, close the Download Manager.

Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives

[*]Click on My Computer under Scan.

[*]Once the scan is complete, it will display the results. Click on View Scan Report.

[*]You will see a list of infected items there. Click on Save Report As....

[*]Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

[*]Please post this log along with a new HijackThis log in your next reply and also let me know how your computer is running now.

Link to post
Share on other sites

Hi Delta,

Sorry for the delay, Mohters day week-end and all that. Logs as requested below, and I seem to be running OK now.

KASPERSKY ONLINE SCANNER 7.0: scan report

Monday, March 15, 2010

Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Monday, March 15, 2010 07:24:18

Records in database: 3802802

--------------------------------------------------------------------------------

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

Scan area - My Computer:

C:\

D:\

Scan statistics:

Objects scanned: 81922

Threats found: 6

Infected objects found: 8

Suspicious objects found: 0

Scan duration: 02:36:24

File name / Threat / Threats count

C:\Documents and Settings\Nat\Local Settings\Application Data\MSASCui.exe Infected: Trojan.Win32.FraudPack.annm 1

C:\Documents and Settings\Nat\Local Settings\Temp\392.exe Infected: P2P-Worm.Win32.Palevo.ums 1

C:\Documents and Settings\Nat\Local Settings\Temp\574.exe Infected: P2P-Worm.Win32.Palevo.uwi 1

C:\Documents and Settings\Nat\Local Settings\Temp\612.exe Infected: P2P-Worm.Win32.Palevo.now 1

C:\Documents and Settings\Nat\Local Settings\Temp\843.exe Infected: P2P-Worm.Win32.Palevo.rbi 1

C:\Documents and Settings\Nat\Local Settings\Temp\876.exe Infected: P2P-Worm.Win32.Palevo.nbz 1

C:\Documents and Settings\Nat\Local Settings\Temporary Internet Files\Content.IE5\5R0AEDLW\eH6c1543e6V03f01830002Rbb05ee99102T2798e960Q000002f3900807F0016000aJ0e00060

1l0809K7307105c3180[1] Infected: Trojan.Win32.FraudPack.annm 1

C:\Documents and Settings\Nat\Local Settings\Temporary Internet Files\Content.IE5\5R0AEDLW\eH6c1543e6V03f01830002Rbb05ee99102T2798e966Q000002f3900807F0016000aJ0e00060

1l0809K7307105c316P000001070[1] Infected: Trojan.Win32.FraudPack.annm 1

Selected area has been scanned.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:00:59, on 15/03/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Program Files\Kontiki\KService.exe

C:\Program Files\Norton Internet Security\Engine\17.1.0.19\ccSvcHst.exe

C:\WINDOWS\system32\o2flash.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\sm56hlpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Downloaded Programs\iTUNES\iTunesHelper.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Lenovo\Productivity Keyboard\SKDaemon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe

C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe

C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe

C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Java\jre6\bin\java.exe

C:\Downloaded Programs\Hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.ask.com?o=15153&l=dis

O1 - Hosts:

Link to post
Share on other sites

Hi kevinboo,

Run OTL Script

  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the customFix.png textbox. Do not include the word Code
    :files
    C:\Documents and Settings\Nat\Local Settings\Application Data\MSASCui.exe
    C:\Documents and Settings\Nat\Local Settings\Temp\392.exe
    C:\Documents and Settings\Nat\Local Settings\Temp\574.exe
    C:\Documents and Settings\Nat\Local Settings\Temp\612.exe
    C:\Documents and Settings\Nat\Local Settings\Temp\843.exe
    C:\Documents and Settings\Nat\Local Settings\Temp\876.exe
    C:\Documents and Settings\Nat\Local Settings\Temporary Internet Files\Content.IE5\5R0AEDLW\eH6c1543e6V03f01830002Rbb05ee99102T2798e960Q000002f3900807F0016000aJ0e00060
    1l0809K7307105c3180[1]
    C:\Documents and Settings\Nat\Local Settings\Temporary Internet Files\Content.IE5\5R0AEDLW\eH6c1543e6V03f01830002Rbb05ee99102T2798e966Q000002f3900807F0016000aJ0e00060
    1l0809K7307105c316P000001070[1]
    [RESETHOSTS]


  • Then click the Run Fix button at the top.
  • Click btnOK.png.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

TFC

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • Click the Start button in the bottom left of TFC
  • If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It should not take longer than a couple of minutes , and may only take a few seconds. Only if needed will you be prompted to reboot.

Link to post
Share on other sites

Hi Delta

Please see below OTL detail as requested.

========== FILES ==========

C:\Documents and Settings\Nat\Local Settings\Application Data\MSASCui.exe moved successfully.

C:\Documents and Settings\Nat\Local Settings\Temp\392.exe moved successfully.

C:\Documents and Settings\Nat\Local Settings\Temp\574.exe moved successfully.

C:\Documents and Settings\Nat\Local Settings\Temp\612.exe moved successfully.

C:\Documents and Settings\Nat\Local Settings\Temp\843.exe moved successfully.

C:\Documents and Settings\Nat\Local Settings\Temp\876.exe moved successfully.

File\Folder C:\Documents and Settings\Nat\Local Settings\Temporary Internet Files\Content.IE5\5R0AEDLW\eH6c1543e6V03f01830002Rbb05ee99102T2798e960Q000002f3900807F0016000aJ0e00060 not found.

File\Folder 1l0809K7307105c3180[1] not found.

File\Folder C:\Documents and Settings\Nat\Local Settings\Temporary Internet Files\Content.IE5\5R0AEDLW\eH6c1543e6V03f01830002Rbb05ee99102T2798e966Q000002f3900807F0016000aJ0e00060 not found.

File\Folder 1l0809K7307105c316P000001070[1] not found.

File\Folder [RESETHOSTS] not found.

OTL by OldTimer - Version 3.1.34.0 log created on 03162010_075749

Regards... Kevin

Link to post
Share on other sites

Hi kevinboo,

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Remove GMER

Delete the GMER icon from your desktop, it will be named 9kpoqbu7.exe

Clean up with OTL

  • Double-click OTL.exe to start the program. This will remove all the tools we used to clean your pc.
  • Close all other programs apart from OTL as this step will require a reboot
  • On the OTL main screen, press the CleanUp! button
  • Say Yes to the prompt and then allow the program to reboot your computer.

Create a new, clean System Restore point which you can use in case of future system problems:

  • Press Start >> All Programs >> Accessories >>System Tools >> System Restore
  • Select Create a restore point, then Next, type a name like All Clean then press the Create button and once it's done press Close
  • Now remove old, infected System Restore points:
  • Next click Start >> Run and type cleanmgr in the box and press OK
  • Ensure the boxes for Recycle Bin, Temporary Files and Temporary Internet Files are checked, you can choose to check other boxes if you wish but they are not required.
  • Select the More Options tab, under System Restore press Clean up... and say Yes to the prompt
  • Press OK and Yes to confirm

Update your AntiVirus Software and keep your other programs up-to-date

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

You can use one of these sites to check if any updates are needed for your pc.

Secunia Software Inspector

F-secure Health Check

Important

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.