Laptop riddled with malware

[Beatrix101]

Hiya, I'm hoping someone can help me out here. Ever since last week my laptop has been having some problems and it's steadily getting worse. It all started with me stupidly accepting a virus file through MSN. It was from a friend of mine who I thought I could trust, so I didn't think anything of it when I accepted it. Ever since I accepted the file, my computer's been in a terrible state. It's slow, crashes every 20 seconds (quite literally), gives me constant popups with those sites that try and get you to install some 'virus protection software' and messes up a good majority of the programs so that they won't work properly. I found out today that my Photoshop refuses to allow me to use any of the tools and Firefox closes automatically whenever I try and open a file up.

I have Norton Security and Ad-Aware installed, and they keep telling me I have 'Infostealer' and trojans and the like.

If it helps any, my laptop is running Windows XP Service Pack 2 and is an Acer TravelMate 4500.

Thanks in advance for your help :) My HijackThis log is as follows:

Logfile of HijackThis v1.99.1
Scan saved at 22:37:05, on 28/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\BT Broadband\Help\bin\mpbtn.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Kevin Youens\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lost-hope.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\system32\ileifsnh.dll",realset
O4 - HKLM\..\RunOnce: [NCInstallQueue] rundll32 netman.dll,ProcessQueue
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...tml?p=ZJfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by123w.bay123.mail.live.com/m...s/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1173013433402
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1173013415516
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A64339A7-02F6-4423-BCA3-0160FD25A5C5}: NameServer = 62.6.40.162 194.72.0.98
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000627 (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

[LonnyRJones]

Welcome Beatrix101

Start Hijackthis and place a check next to these items If there.

O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\system32\ileifsnh.dll",realset

Optional fix's >
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...tml?p=ZJfox000
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
====================================
Hit fix checked and close Hijackthis.


Post a combofix log
1. Download this file - combofix.exe
http://www.techsupportforum.com/sect...s/ComboFix.exe
alternate link
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
If the log is large You might need to post half in one reply half in another.

[Beatrix101]

Hiya,

Thanks for helping me out :) I did as you said and the ComboFix log is as follows:

"Kevin Youens" - 07-05-01 17:20:19 Service Pack 2
ComboFix 07-04-25.4V - Running from: "C:\Documents and Settings\Kevin Youens\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\svycftuj.dll
C:\WINDOWS\system32\qommmmk.dll
C:\WINDOWS\system32\jmnnn.tmp
C:\WINDOWS\system32\jmnnn.ini
C:\WINDOWS\system32\jmnnn.ini2
C:\WINDOWS\system32\jmnnn.bak1
C:\WINDOWS\system32\jmnnn.bak2
C:\WINDOWS\system32\nnnmj.dll
C:\WINDOWS\system32\ljjgghi.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\{26291~1
C:\Program Files\Common Files\{36291~1


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\Client IP-IPX
-------\LEGACY_CLIENT_IP-IPX


((((((((((((((((((((((((((((((( Files Created from 2007-04-01 to 2007-05-01 ))))))))))))))))))))))))))))))))))


2007-04-25 21:43 132,660 --a------ C:\WINDOWS\system32\ileifsnh.dll
2007-04-25 11:24 123,972 --a------ C:\WINDOWS\system32\adfjiunj.dll
2007-04-24 21:07 123,972 --a------ C:\WINDOWS\system32\ifristkq.dll
2007-04-24 02:14 123,972 --a------ C:\WINDOWS\system32\exsodrwm.dll
2007-04-23 21:12 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-04-22 21:19 <DIR> d-------- C:\DOCUME~1\KEVINY~1\APPLIC~1\Lavasoft
2007-04-22 21:02 <DIR> d-------- C:\Program Files\Lavasoft
2007-04-22 20:57 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-04-22 12:41 <DIR> d--hs---- C:\FOUND.001
2007-04-21 20:47 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-04-20 13:05 <DIR> d--hs---- C:\FOUND.000
2007-04-18 19:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-04-17 21:50 <DIR> d-------- C:\DOCUME~1\KEVINY~1\APPLIC~1\STOIK
2007-04-17 21:49 <DIR> d-------- C:\Program Files\STOIK Imaging
2007-04-08 00:55 <DIR> d-------- C:\Program Files\Kontiki
2007-04-08 00:55 <DIR> d-------- C:\Program Files\Channel4
2007-04-08 00:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kontiki
2007-04-03 17:28 <DIR> d--hs---- C:\WINDOWS\ftpcache
2007-04-03 17:28 <DIR> d-------- C:\Program Files\KH2FM+ Clock


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-03-27 01:00 -------- d-------- C:\Program Files\windows media connect 2
2007-03-26 19:13 -------- d-------- C:\Program Files\mp3 player utilities
2007-03-20 18:57 159743 --a------ C:\WINDOWS\google pack screensaver uninstaller.exe
2007-03-17 14:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-14 19:25 -------- d-------- C:\Program Files\messenger plus! live
2007-03-11 13:25 -------- d-------- C:\Program Files\digitope setup
2007-03-10 20:15 -------- d-------- C:\Program Files\video access activex object
2007-03-08 16:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 16:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 16:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 14:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-03-05 19:46 -------- d-------- C:\Program Files\audacity
2007-03-04 17:21 -------- d-------- C:\Program Files\focus mp3 recorder pro
2007-02-05 21:17 185344 --a------ C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
{9ECB9560-04F9-4bbc-943D-298DDF1699E1} C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
{BDF3E430-B101-42AD-A544-FADC6B084872} C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
{D651AFF4-9590-424d-BD1E-8E33E090DFB3} C:\WINDOWS\system32\svycftuj.dll [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"LaunchApp"="Alaunch"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"MSPY2002"="C:\\WINDOWS\\System32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"PHIME2002ASync"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"LManager"="C:\\Program Files\\Launch Manager\\QtZgAcer.EXE"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"DSLSTATEXE"="C:\\Program Files\\BT Voyager 105 ADSL Modem\\dslstat.exe icon"
"DSLAGENTEXE"="C:\\Program Files\\BT Voyager 105 ADSL Modem\\dslagent.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"HP Software Update"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"OpwareSE2"="\"C:\\Program Files\\ScanSoft\\OmniPageSE2.0\\OpwareSE2.exe\""
"PCSuiteTrayApplication"="C:\\PROGRA~1\\Nokia\\NOKIAP~1\\LAUNCH~1.EXE -startup"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"4oD"="\"C:\\Program Files\\Kontiki\\KHost.exe\" -all"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"PcSync"="C:\\Program Files\\Nokia\\Nokia PC Suite 6\\PcSync2.exe /NoDialog"
"MSMSGS"="\"C:\\Program Files\\Messenger\\MSMSGS.EXE\" /background"
"kdx"="C:\\Program Files\\Kontiki\\KHost.exe -all"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - Kevin Youens.job
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-01 17:27:48
Windows 5.1.2600 Service Pack 2 FAT

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-05-01 17:33:46 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-05-01 17:33

[LonnyRJones]

Good job so far

Start Hijackthis Scan and place a check next to these items If there.

O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - C:\WINDOWS\system32\svycftuj.dll (no file)
====================================
Hit fix checked and close Hijackthis.

Manualy delete these files/folders
C:\Program Files\video access activex object < delete folder
C:\WINDOWS\system32\ileifsnh.dll < delete file
Your antivirus might delete when you get close to them, thats fine.


Download "Suspicious File Packer" Third one on this page >
http://www.safer-networking.org/en/tools/index.html
To your desktop, unzip the file inside
run sfp.exe copy then paste the list below into it and hit continue.

C:\WINDOWS\system32\adfjiunj.dll
C:\WINDOWS\system32\ifristkq.dll
C:\WINDOWS\system32\exsodrwm.dll

a .cab file will have been created on your desktop
Attach it here http://www.thespykiller.co.uk/index.php?board=1.0

[Beatrix101]

I've done everything you said and attached the file in this topic:

http://www.thespykiller.co.uk/index.php?topic=4093.0

(should you need to know)

Thanks for you help so far.

[LonnyRJones]

SPF had a problem
- could not add: C:\WINDOWS\system32\adfjiunj.dll
- could not add: C:\WINDOWS\system32\ifristkq.dll
- could not add: C:\WINDOWS\system32\exsodrwm.dll
=================
Set windows to show hidden extensions file's and folder's.
click for> instructions.

Now check if they exist ? if so go back to spykiller and attach each file.

[Beatrix101]

I posted a new reply in the topic with the three files attached.

[LonnyRJones]

Thanks but they are empty, something is preventing us

Reboot into safe mode and move those three files to a new folder such as
c:\samples
restart back to normal mode then go try attaching them again please

safe mode instructions Click here if needed For instructions.

[Beatrix101]

OK, I attached the files again, after following your instructions.

[LonnyRJones]

Hi

Nothings been attached there since you tried last time

Now that they are moved we could try spf again
you were able to move them correct ?
run spf and paste in
c:\samples\*
then attach the new xxx.cab file on your desktop


Post a report from one of these free online scans

http://www.pandasoftware.com/products/activescan.htm
Pess "scan your PC now" allow the active x to install (if prompted)
Do a full scan > Click the my computer button
After the scan click see report then Save the report and post it back here please.
If you have problems read the FAQ http://www.pandasoftware.com/actives...q.asp?IdLang=2

Kaspersky Lab - Free Online scan:
http://www.kaspersky.com/virusscanner
Click scan settings and place a check next to use [x]extended this database etc etc. Click ok.
Then choose: my computer: scan all your hard drives and mapped disks.
when finished click save as text and post that in your reply.

[Beatrix101]

Hmm, that's strange. I definitely attached them and I did as you asked and moved them to the samples folder in safe mode beforehand.

I tried SFP again but it's still saying it cannot add the files. Here's the log for the Panda scan:

Incident Status Location

Potentially unwanted tool:Application/RealSpy Not disinfected C:\WINDOWS\SYSTEM32\ACTSKN45.OCX
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NIRCMD.EXE
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Kevin Youens\Desktop\ComboFix.exe[ComboFixT\nircmd.cfexe]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Kevin Youens\Cookies\kevin youens@atwola[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Kevin Youens\Cookies\kevin_youens@888[2].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Kevin Youens\Cookies\kevin_youens@tradedoubler[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Kevin Youens\Cookies\kevin_youens@questionmarket[2].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Kevin Youens\Cookies\kevin youens@did-it[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Kevin Youens\Cookies\kevin_youens@mediaplex[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Kevin Youens\Cookies\kevin_youens@doubleclick[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Kevin Youens\Cookies\kevin_youens@advertising[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Kevin Youens\Cookies\kevin_youens@hitbox[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Kevin Youens\Cookies\kevin_youens@atdmt[2].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Kevin Youens\Cookies\kevin_youens@int.sitestat[1].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Kevin Youens\Cookies\kevin_youens@int.sitestat[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Kevin Youens\Cookies\kevin youens@com[1].txt
Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\Kevin Youens\Cookies\kevin_youens@www.systemdoctor[1].txt
Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\Kevin Youens\Cookies\kevin_youens@systemdoctor[1].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Kevin Youens\Cookies\kevin_youens@winantivirus[1].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Kevin Youens\Cookies\kevin_youens@winantispyware[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Kevin Youens\Cookies\kevin_youens@casalemedia[1].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Kevin Youens\Cookies\kevin_youens@stats1.reliablestats[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Kevin Youens\Cookies\kevin_youens@ad.yieldmanager[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Kevin Youens\Application Data\Mozilla\Firefox\Profiles\3z1x1e35.default\COOKIES.TXT[.doubleclick.net/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Kevin Youens\Application Data\Mozilla\Firefox\Profiles\3z1x1e35.default\COOKIES.TXT[.advertising.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Kevin Youens\Application Data\Mozilla\Firefox\Profiles\3z1x1e35.default\COOKIES.TXT[.servedby.advertising.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Kevin Youens\Application Data\Mozilla\Firefox\Profiles\3z1x1e35.default\COOKIES.TXT[.advertising.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Kevin Youens\Application Data\Mozilla\Firefox\Profiles\3z1x1e35.default\COOKIES.TXT[.adrevolver.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Kevin Youens\Application Data\Mozilla\Firefox\Profiles\3z1x1e35.default\COOKIES.TXT[.mediaplex.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Kevin Youens\Application Data\Mozilla\Firefox\Profiles\3z1x1e35.default\COOKIES.TXT[ad.yieldmanager.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Kevin Youens\Application Data\Mozilla\Firefox\Profiles\3z1x1e35.default\COOKIES.TXT[.ad.yieldmanager.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Kevin Youens\Application Data\Mozilla\Firefox\Profiles\3z1x1e35.default\COOKIES.TXT[.atdmt.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Kevin Youens\Application Data\Mozilla\Firefox\Profiles\3z1x1e35.default\COOKIES.TXT[.fastclick.net/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Kevin Youens\Application Data\Mozilla\Firefox\Profiles\3z1x1e35.default\COOKIES.TXT[.realmedia.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Kevin Youens\Application Data\Mozilla\Firefox\Profiles\3z1x1e35.default\COOKIES.TXT[.com.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Kevin Youens\Application Data\Mozilla\Firefox\Profiles\3z1x1e35.default\COOKIES.TXT[.tribalfusion.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Kevin Youens\Application Data\Mozilla\Firefox\Profiles\3z1x1e35.default\COOKIES.TXT[.casalemedia.com/]
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Kevin Youens\Application Data\Mozilla\Firefox\Profiles\3z1x1e35.default\COOKIES.TXT[www.myaffiliateprogram.com/]
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Kevin Youens\Application Data\Mozilla\Firefox\Profiles\3z1x1e35.default\COOKIES.TXT[.bluestreak.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Kevin Youens\Application Data\Mozilla\Firefox\Profiles\3z1x1e35.default\COOKIES.TXT[.bs.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Kevin Youens\Application Data\Mozilla\Firefox\Profiles\3z1x1e35.default\COOKIES.TXT[.serving-sys.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Kevin Youens\Application Data\Mozilla\Firefox\Profiles\3z1x1e35.default\COOKIES.TXT[.statcounter.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Kevin Youens\Application Data\Mozilla\Firefox\Profiles\3z1x1e35.default\COOKIES.TXT[.questionmarket.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Kevin Youens\Application Data\Mozilla\Firefox\Profiles\3z1x1e35.default\COOKIES.TXT[.xiti.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Kevin Youens\Application Data\Mozilla\Firefox\Profiles\3z1x1e35.default\COOKIES.TXT[.zedo.com/]
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Kevin Youens\Application Data\Mozilla\Firefox\Profiles\3z1x1e35.default\COOKIES.TXT[.adtech.de/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Kevin Youens\Application Data\Mozilla\Firefox\Profiles\3z1x1e35.default\COOKIES.TXT[server.iad.liveperson.net/hc/82763522]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Kevin Youens\Application Data\Mozilla\Firefox\Profiles\3z1x1e35.default\COOKIES.TXT[server.iad.liveperson.net/]
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Kevin Youens\Application Data\Mozilla\Firefox\Profiles\3z1x1e35.default\COOKIES.TXT[.tradedoubler.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Kevin Youens\Application Data\Mozilla\Firefox\Profiles\3z1x1e35.default\COOKIES.TXT[.2o7.net/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Kevin Youens\Application Data\Mozilla\Firefox\Profiles\3z1x1e35.default\COOKIES.TXT[.trafficmp.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Kevin Youens\Application Data\Mozilla\Firefox\Profiles\3z1x1e35.default\COOKIES.TXT[.ads.pointroll.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Kevin Youens\Application Data\Mozilla\Firefox\Profiles\3z1x1e35.default\COOKIES.TXT[.overture.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Kevin Youens\Application Data\Mozilla\Firefox\Profiles\3z1x1e35.default\COOKIES.TXT[.112.2o7.net/]
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Kevin Youens\Application Data\Mozilla\Firefox\Profiles\3z1x1e35.default\COOKIES.TXT[stats1.reliablestats.com/]
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Kevin Youens\Application Data\Mozilla\Firefox\Profiles\3z1x1e35.default\COOKIES.TXT[www.winantiviruspro.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Kevin Youens\Application Data\Mozilla\Firefox\Profiles\3z1x1e35.default\COOKIES.TXT[.hitbox.com/]
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Kevin Youens\Application Data\Mozilla\Firefox\Profiles\3z1x1e35.default\COOKIES.TXT[.888.com/]
Spyware:Cookie/Weborama Not disinfected C:\Documents and Settings\Kevin Youens\Application Data\Mozilla\Firefox\Profiles\3z1x1e35.default\COOKIES.TXT[.weborama.fr/]
Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\Kevin Youens\Application Data\Mozilla\Firefox\Profiles\3z1x1e35.default\COOKIES.TXT[.webpower.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Kevin Youens\Application Data\Mozilla\Firefox\Profiles\3z1x1e35.default\COOKIES.TXT[statse.webtrendslive.com/]
Spyware:Cookie/Mammamediasolutions Not disinfected C:\Documents and Settings\Kevin Youens\Application Data\Mozilla\Firefox\Profiles\3z1x1e35.default\COOKIES.TXT[.targetnet.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Kevin Youens\Application Data\Mozilla\Firefox\Profiles\3z1x1e35.default\cookies-1.txt[.doubleclick.net/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Kevin Youens\Application Data\Mozilla\Firefox\Profiles\3z1x1e35.default\cookies-1.txt[.atdmt.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Kevin Youens\Application Data\Mozilla\Firefox\Profiles\3z1x1e35.default\cookies-1.txt[.com.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Kevin Youens\Application Data\Mozilla\Firefox\Profiles\3z1x1e35.default\cookies-1.txt[.tribalfusion.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Kevin Youens\Application Data\Mozilla\Firefox\Profiles\3z1x1e35.default\cookies-1.txt[ad.yieldmanager.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Kevin Youens\Application Data\Mozilla\Firefox\Profiles\3z1x1e35.default\cookies-1.txt[.ad.yieldmanager.com/]
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Kevin Youens\Application Data\Mozilla\Firefox\Profiles\3z1x1e35.default\cookies-1.txt[.tradedoubler.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Kevin Youens\Application Data\Mozilla\Firefox\Profiles\3z1x1e35.default\cookies-1.txt[.advertising.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Kevin Youens\Application Data\Mozilla\Firefox\Profiles\3z1x1e35.default\cookies-1.txt[.servedby.advertising.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Kevin Youens\Application Data\Mozilla\Firefox\Profiles\3z1x1e35.default\cookies-1.txt[.adrevolver.com/]
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Kevin Youens\Application Data\Mozilla\Firefox\Profiles\3z1x1e35.default\cookies-1.txt[.adtech.de/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Kevin Youens\Application Data\Mozilla\Firefox\Profiles\3z1x1e35.default\cookies-1.txt[.fastclick.net/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Kevin Youens\Application Data\Mozilla\Firefox\Profiles\3z1x1e35.default\cookies-1.txt[.realmedia.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Kevin Youens\Application Data\Mozilla\Firefox\Profiles\3z1x1e35.default\cookies-1.txt[.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Kevin Youens\Application Data\Mozilla\Firefox\Profiles\3z1x1e35.default\cookies-1.txt[.bs.serving-sys.com/]