morphidus

Please help, my Norton scan showed me lots of trojans but i don't have the full version so i can't do anything about it.


DDS (Ver_09-07-30.01) - FAT32x86
Run by Administrator at 19:33:14.06 on Wed 08/12/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1983.1675 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Search Settings\SearchSettings.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
G:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
uURLSearchHooks: SearchSettings Class: {e312764e-7706-43f1-8dab-fcdd2b1e416d} - c:\program files\search settings\kb128\SearchSettings.dll
BHO: Dealio Toolbar: {01398b87-61af-4ffb-9ab5-1a1c5fb39a9c} - c:\program files\dealio toolbar\DealioToolbarIE.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: SearchSettings Class: {e312764e-7706-43f1-8dab-fcdd2b1e416d} - c:\program files\search settings\kb128\SearchSettings.dll
TB: Dealio Toolbar: {01398b87-61af-4ffb-9ab5-1a1c5fb39a9c} - c:\program files\dealio toolbar\DealioToolbarIE.dll
uRun: [Google Update] "c:\documents and settings\administrator\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [Windows Update] c:\windows\system32\explorer.exe
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SearchSettings] c:\program files\search settings\SearchSettings.exe
mRun: [net] "c:\windows\system32\net.net"
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4ABB12B3-8A8B-481D-874A-93E16F930A8B} - hxxp://www.hangame.com/common/CKKeyProInst.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} - hxxp://id.hangame.com/common/HanSetup1020.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\l4n3mnbc.default\
FF - prefs.js: browser.startup.homepage - www.g4tv.com
FF - component: c:\program files\mozilla firefox\extensions\{01398b87-61af-4ffb-9ab5-1a1c5fb39a9c}\components\DealioToolbarFF.dll
FF - component: c:\program files\mozilla firefox\extensions\search@searchsettings.com\components\SearchSettingsFF.dll
FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

S3 JRSKD24;JRSKD24;c:\windows\system32\JRSKD24.sys [2008-4-21 10752]
S3 JRSUKD24;JRSUKD24;c:\windows\system32\JRSUKD24.sys [2007-10-28 6784]
S3 libusb0;LibUsb-Win32 - Kernel Driver 11/20/2005, 20051120;c:\windows\system32\drivers\libusb0.sys [2009-5-1 29184]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]

=============== Created Last 30 ================

2009-08-12 16:36 <DIR> --dsh--- C:\FOUND.001
2009-08-11 20:20 54,784 a------- c:\windows\system32\drivers\UACd.sys
2009-08-11 20:11 91 a------- c:\windows\system32\SKYNETlwgkcexy.dat
2009-08-11 20:11 <DIR> --d----- c:\windows\system32\drivers\NSS
2009-08-11 20:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton
2009-08-11 20:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2009-08-11 20:11 <DIR> --d----- c:\program files\NortonInstaller
2009-08-11 20:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-08-11 20:10 20,480 a------- c:\windows\system32\SKYNETqslltfbf.dll
2009-08-11 20:10 70,656 a------- c:\windows\system32\drivers\SKYNETyqjpypib.sys
2009-08-11 20:10 44,544 a------- c:\windows\system32\SKYNETmyudovrj.dll
2009-08-11 20:10 1,476 a------- c:\windows\system32\SKYNETovqxewft.dat
2009-08-11 20:10 1,234,737 a------- c:\windows\system32\xa.tmp
2009-08-09 13:37 <DIR> --d----- c:\program files\Return to Castle Wolfenstein
2009-08-09 13:36 810 a------- c:\windows\Rtcw.INI

==================== Find3M ====================

2009-08-05 09:37 34 a------- c:\documents and settings\administrator\jagex_runescape_preferences.dat
2009-08-03 17:36 10,752 a------- c:\windows\system32\JRSKD24.sys
2009-08-03 17:36 6,784 a------- c:\windows\system32\JRSUKD24.sys
2009-06-07 12:38 35,624 a------- c:\windows\DIIUnin.dat
2009-06-07 12:37 21,840 a------- c:\windows\system32\SIntfNT.dll
2009-06-07 12:37 17,212 a------- c:\windows\system32\SIntf32.dll
2009-06-07 12:37 12,067 a------- c:\windows\system32\SIntf16.dll
2009-06-07 12:10 94,208 a------- c:\windows\DIIUnin.exe
2009-06-07 12:10 2,829 a------- c:\windows\DIIUnin.pif
2009-06-04 07:37 499,712 a------- c:\windows\system32\msvcp71.dll
2009-05-24 04:10 489,067 a------- c:\windows\system32\HelpMe.exe
2009-04-21 04:45 4,711 a------- c:\documents and settings\administrator\WINXX.REG

============= FINISH: 19:33:25.53 ===============

Attached Files

Attach.rar (3.9 KB, 5 views)

forhockey

Hi morphidus,

I don't see your Norton running on your computer. Do you see the program in the system tray?

Please subscribe to this thread so that you are notified when you receive a reply. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Add Subscription.

** Note: Please stick with me until I declare that your system is free from malware. Even though your system may not have any symptoms of malware, it may still be infected. **

--------------------------------------------------------------

Before beginning the proposed fix, read this post completely. Any questions should be kindly asked before proceeding. Ensure that there are no open browsers when carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

--------------------------------------------------------------

1. Download Combofix from any of the links below. You must rename it before saving it.
   
   * IMPORTANT !!! Place combo-fix.exe on your Desktop
   
   Link 1
   Link 2
   
   
   
   
   
   
   --------------------------------------------------------------------
   
2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   
   
   You can get help on disabling your protection programs here
   
3. Double click on combo-fix.exe & follow the prompts.
   
4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
   
   
5. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
   
   **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
   
   
   
   
   
   Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
   
   
   
   
   
   Click on Yes, to continue scanning for malware.
   
6. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
7. When finished, it shall produce a log for you (Located in C:\ComboFix.txt). Post that log in your next reply
   
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   
   ---------------------------------------------------------------------------------------------
   
8. Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.

morphidus

What if i don't have an active internet connection on the infected machine?..

forhockey

morphidus,

What computer are you posting from now?

You can always download the tools to removable media and transfer it to the infected computer. Can you please elaborate on your connectivity issues.

morphidus

I am posting on my desktop. The infected machine has "limited or no connectivity" and cannot access the internet. I tried restarting my router twice but it did not work. Also, the infected machine does not have the Microsoft Recovery Console, and seeing as i can't connect to the internet, I cannot download it using Combo-fix. Is there any link I can use to download the MRC on my desktop and use a flash drive to put it on my other machine?

forhockey

Visit the following link: here

Download the file & save it as its originally named, next to Combo-Fix.exe.





Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

• Drag the setup package onto Combo-Fix.exe and drop it.
  
• Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  
• At the next prompt, click 'Yes' to run the full ComboFix scan.
  
  
  
• When the tool is finished, it will produce a report for you.

Please post the C:\ComboFix.txt along with a new HijackThis log for further review.

morphidus

Ok


ComboFix 09-08-10.06 - Administrator 08/14/2009 19:54.1.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1983.1667 [GMT -4:00]
Running from: d:\documents and settings\Administrator\My Documents\Desktop\Combo-Fix.exe
Command switches used :: d:\documents and settings\Administrator\My Documents\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\ADMINI~1\LOCALS~1\Temp\decrypted.exe
c:\program files\Dealio Toolbar
c:\program files\Dealio Toolbar\config.ini
c:\program files\Dealio Toolbar\DealioToolbarIE.dll
c:\program files\Dealio Toolbar\Res\amazon.gif
c:\program files\Dealio Toolbar\Res\apple.gif
c:\program files\Dealio Toolbar\Res\barnes.gif
c:\program files\Dealio Toolbar\Res\bestbuy.gif
c:\program files\Dealio Toolbar\Res\dealio_logo.gif
c:\program files\Dealio Toolbar\Res\dealio_logo_hover.gif
c:\program files\Dealio Toolbar\Res\ebay.gif
c:\program files\Dealio Toolbar\Res\icon_settings.gif
c:\program files\Dealio Toolbar\Res\macys.gif
c:\program files\Dealio Toolbar\Res\newegg.gif
c:\program files\Dealio Toolbar\Res\overstock.gif
c:\program files\Dealio Toolbar\Res\search-button-hover.gif
c:\program files\Dealio Toolbar\Res\search-button.gif
c:\program files\Dealio Toolbar\Res\search-chevron-hover.gif
c:\program files\Dealio Toolbar\Res\search-chevron.gif
c:\program files\Dealio Toolbar\Res\search_amazon.gif
c:\program files\Dealio Toolbar\Res\search_dealio.gif
c:\program files\Dealio Toolbar\Res\search_ebay.gif
c:\program files\Dealio Toolbar\Res\search_yahoo.gif
c:\program files\Dealio Toolbar\Res\separator.gif
c:\program files\Dealio Toolbar\Res\target.gif
c:\program files\Dealio Toolbar\Res\walmart.gif
c:\program files\Dealio Toolbar\Res\widgets.xml
c:\program files\Dealio Toolbar\SearchSettingsKit.exe
c:\program files\Dealio Toolbar\WidgiHelper.exe
c:\program files\Search Settings
c:\program files\Search Settings\kb128\SearchSettings.dll
c:\program files\Search Settings\kb128\SearchSettingsRes409.dll
c:\program files\Search Settings\SearchSettings.exe
c:\windows\run.log
c:\windows\system32\drivers\SKYNETyqjpypib.sys
c:\windows\system32\drivers\UACd.sys
c:\windows\system32\helpme.exe
c:\windows\system32\SKYNETlwgkcexy.dat
c:\windows\system32\SKYNETmyudovrj.dll
c:\windows\system32\SKYNETovqxewft.dat
c:\windows\system32\SKYNETqslltfbf.dll

.
((((((((((((((((((((((((( Files Created from 2009-07-14 to 2009-08-14 )))))))))))))))))))))))))))))))
.

2009-08-12 20:36 . 2009-08-12 20:36 -------- d-sh--w- C:\FOUND.001
2009-08-12 00:11 . 2009-08-12 00:11 -------- d-----w- c:\windows\system32\drivers\NSS
2009-08-12 00:11 . 2009-08-12 00:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-08-12 00:11 . 2009-08-12 00:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-08-12 00:11 . 2009-08-12 00:11 -------- d-----w- c:\program files\NortonInstaller
2009-08-12 00:11 . 2009-08-12 00:11 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-08-09 17:37 . 2009-08-09 17:37 -------- d-----w- c:\program files\Return to Castle Wolfenstein
2009-07-21 14:50 . 2009-07-21 14:50 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-12 00:10 . 2009-08-12 00:10 1234737 ----a-w- c:\windows\system32\xa.tmp
2009-08-05 13:37 . 2009-04-25 02:45 34 ----a-w- c:\documents and settings\Administrator\jagex_runescape_preferences.dat
2009-08-03 21:36 . 2008-04-21 13:49 10752 ----a-w- c:\windows\system32\JRSKD24.sys
2009-08-03 21:36 . 2007-10-29 00:31 6784 ----a-w- c:\windows\system32\JRSUKD24.sys
2009-07-02 16:35 . 2009-07-02 16:34 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-07-02 16:34 . 2009-07-02 16:34 -------- d-----w- c:\program files\Norton Security Scan
2009-06-21 21:31 . 2009-04-25 03:25 36304 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-16 21:17 . 2009-06-16 21:17 -------- d-----w- c:\program files\TI Education
2009-06-16 21:17 . 2009-06-16 21:17 -------- d-----w- c:\program files\Common Files\TI Shared
2009-06-16 21:16 . 2009-06-16 21:16 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-07 16:38 . 2009-06-07 16:10 35624 ----a-w- c:\windows\DIIUnin.dat
2009-06-07 16:37 . 2009-06-07 16:15 21840 ----a-w- c:\windows\system32\SIntfNT.dll
2009-06-07 16:37 . 2009-06-07 16:15 17212 ----a-w- c:\windows\system32\SIntf32.dll
2009-06-07 16:37 . 2009-06-07 16:15 12067 ----a-w- c:\windows\system32\SIntf16.dll
2009-06-07 16:25 . 2009-06-07 16:25 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-06-07 16:10 . 2009-06-07 16:10 94208 ----a-w- c:\windows\DIIUnin.exe
2009-06-07 16:10 . 2009-06-07 16:10 2829 ----a-w- c:\windows\DIIUnin.pif
2009-06-04 11:37 . 2009-06-04 11:37 499712 ----a-w- c:\windows\system32\msvcp71.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-25 133104]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-10-19 202032]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-21 7581696]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2006-07-27 61952]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57908:TCP"= 57908:TCP:Pando Media Booster
"57908:UDP"= 57908:UDP:Pando Media Booster

S3 JRSKD24;JRSKD24;c:\windows\system32\JRSKD24.sys [4/21/2008 9:49 AM 10752]
S3 JRSUKD24;JRSUKD24;c:\windows\system32\JRSUKD24.sys [10/28/2007 8:31 PM 6784]
S3 libusb0;LibUsb-Win32 - Kernel Driver 11/20/2005, 20051120;c:\windows\system32\drivers\libusb0.sys [5/1/2009 10:48 PM 29184]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EC0E9B94-D859-DE3A-A5D2-BC4FB000CBC0}]
c:\windows\system32\explorer.exe
.
Contents of the 'Scheduled Tasks' folder

2009-08-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-412668190-839522115-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-21 02:13]

2009-08-12 c:\windows\Tasks\Norton Security Scan for Administrator.job
- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.3.0.44\Nss.exe [2009-08-12 00:11]
.
- - - - ORPHANS REMOVED - - - -

BHO-{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C} - c:\program files\Dealio Toolbar\DealioToolbarIE.dll
Toolbar-{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C} - c:\program files\Dealio Toolbar\DealioToolbarIE.dll
HKCU-Run-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe
HKLM-Run-SearchSettings - c:\program files\Search Settings\SearchSettings.exe
HKLM-Run-net - c:\windows\system32\net.net


.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
DPF: {4ABB12B3-8A8B-481D-874A-93E16F930A8B} - hxxp://www.hangame.com/common/CKKeyProInst.cab
DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} - hxxp://id.hangame.com/common/HanSetup1020.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\l4n3mnbc.default\
FF - prefs.js: browser.startup.homepage - www.g4tv.com
FF - component: c:\program files\Mozilla Firefox\extensions\{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C}\components\DealioToolbarFF.dll
FF - component: c:\program files\Mozilla Firefox\extensions\search@searchsettings.com\components\SearchSettingsFF.dll
FF - plugin: c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-14 19:56
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
Completion time: 2009-08-14 19:57
ComboFix-quarantined-files.txt 2009-08-14 23:57

Pre-Run: 17,634,557,952 bytes free
Post-Run: 19,186,974,720 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\="Microsoft Windows"

167

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:14:16 PM, on 8/14/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ABB12B3-8A8B-481D-874A-93E16F930A8B} (CKKeyPro Crypto support Class (CKNhnInst)) - hxxp://www.hangame.com/common/CKKeyProInst.cab
O16 - DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} (HanSetupCtrl1010 Class) - hxxp://id.hangame.com/common/HanSetup1020.cab
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 3590 bytes

forhockey

morphidus,

P2P Software

I see you have P2P software ( LimeWire 5.1.2) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

--------------------------------------------------------------

Open notepad and copy/paste the text in the quotebox below into it:

Save this as CFScript




Referring to the picture above, drag CFScript into Combo-Fix.exe

Follow the prompts, and post the resulting log, C:\ComboFix.txt

Warning:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

--------------------------------------------------------------

Are you able to connect to the internet now?

morphidus

No, I cannot connect to the internet still. I did what you instructed but I forgot to save the log the first time T.T so here is my log from the second run (not sure If running it twice changed anything?)

ComboFix 09-08-10.06 - Administrator 08/15/2009 14:13.3.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1983.1645 [GMT -4:00]
Running from: d:\documents and settings\Administrator\My Documents\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((( Files Created from 2009-07-15 to 2009-08-15 )))))))))))))))))))))))))))))))
.

2009-08-15 00:14 . 2009-08-15 00:14 -------- d-----w- c:\program files\Trend Micro
2009-08-12 00:11 . 2009-08-12 00:11 -------- d-----w- c:\windows\system32\drivers\NSS
2009-08-12 00:11 . 2009-08-12 00:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-08-12 00:11 . 2009-08-12 00:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-08-12 00:11 . 2009-08-12 00:11 -------- d-----w- c:\program files\NortonInstaller
2009-08-12 00:11 . 2009-08-12 00:11 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-08-09 17:37 . 2009-08-09 17:37 -------- d-----w- c:\program files\Return to Castle Wolfenstein
2009-07-21 14:50 . 2009-07-21 14:50 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-12 00:10 . 2009-08-12 00:10 1234737 ----a-w- c:\windows\system32\xa.tmp
2009-08-05 13:37 . 2009-04-25 02:45 34 ----a-w- c:\documents and settings\Administrator\jagex_runescape_preferences.dat
2009-08-03 21:36 . 2008-04-21 13:49 10752 ----a-w- c:\windows\system32\JRSKD24.sys
2009-08-03 21:36 . 2007-10-29 00:31 6784 ----a-w- c:\windows\system32\JRSUKD24.sys
2009-07-02 16:35 . 2009-07-02 16:34 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-07-02 16:34 . 2009-07-02 16:34 -------- d-----w- c:\program files\Norton Security Scan
2009-06-21 21:31 . 2009-04-25 03:25 36304 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-16 21:17 . 2009-06-16 21:17 -------- d-----w- c:\program files\TI Education
2009-06-16 21:17 . 2009-06-16 21:17 -------- d-----w- c:\program files\Common Files\TI Shared
2009-06-16 21:16 . 2009-06-16 21:16 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-07 16:38 . 2009-06-07 16:10 35624 ----a-w- c:\windows\DIIUnin.dat
2009-06-07 16:37 . 2009-06-07 16:15 21840 ----a-w- c:\windows\system32\SIntfNT.dll
2009-06-07 16:37 . 2009-06-07 16:15 17212 ----a-w- c:\windows\system32\SIntf32.dll
2009-06-07 16:37 . 2009-06-07 16:15 12067 ----a-w- c:\windows\system32\SIntf16.dll
2009-06-07 16:25 . 2009-06-07 16:25 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-06-07 16:10 . 2009-06-07 16:10 94208 ----a-w- c:\windows\DIIUnin.exe
2009-06-07 16:10 . 2009-06-07 16:10 2829 ----a-w- c:\windows\DIIUnin.pif
2009-06-04 11:37 . 2009-06-04 11:37 499712 ----a-w- c:\windows\system32\msvcp71.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-25 133104]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-10-19 202032]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-21 7581696]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2006-07-27 61952]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57908:TCP"= 57908:TCP:Pando Media Booster
"57908:UDP"= 57908:UDP:Pando Media Booster

S3 JRSKD24;JRSKD24;c:\windows\system32\JRSKD24.sys [4/21/2008 9:49 AM 10752]
S3 JRSUKD24;JRSUKD24;c:\windows\system32\JRSUKD24.sys [10/28/2007 8:31 PM 6784]
S3 libusb0;LibUsb-Win32 - Kernel Driver 11/20/2005, 20051120;c:\windows\system32\drivers\libusb0.sys [5/1/2009 10:48 PM 29184]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - eeCtrl

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EC0E9B94-D859-DE3A-A5D2-BC4FB000CBC0}]
c:\windows\system32\explorer.exe
.
Contents of the 'Scheduled Tasks' folder

2009-08-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-412668190-839522115-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-21 02:13]

2009-08-15 c:\windows\Tasks\Norton Security Scan for Administrator.job
- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.3.0.44\Nss.exe [2009-08-12 00:11]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
DPF: {4ABB12B3-8A8B-481D-874A-93E16F930A8B} - hxxp://www.hangame.com/common/CKKeyProInst.cab
DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} - hxxp://id.hangame.com/common/HanSetup1020.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\l4n3mnbc.default\
FF - prefs.js: browser.startup.homepage - www.g4tv.com
FF - component: c:\program files\Mozilla Firefox\extensions\{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C}\components\DealioToolbarFF.dll
FF - component: c:\program files\Mozilla Firefox\extensions\search@searchsettings.com\components\SearchSettingsFF.dll
FF - plugin: c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-15 14:14
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
Completion time: 2009-08-15 14:15
ComboFix-quarantined-files.txt 2009-08-15 18:15
ComboFix2.txt 2009-08-15 18:03
ComboFix3.txt 2009-08-14 23:57

Pre-Run: 19,237,371,904 bytes free
Post-Run: 19,229,179,904 bytes free

111

morphidus

I did a couple things today to try and fix my internet problem (tried everything actually) and I still can't get full connectivity. I also downloaded Comodo anti-virus but i need the internet so i can update it.

morphidus

I did start > run > cmd > ipconfig /all and it says my autoconfiguration ip adress is 169.254.0.0 ?

forhockey

Hi morphidus,

Sorry for the delay as I've been away on business.

------------------------------------------------------------

Please do the following:

• Go to Start -> Run
• Type C:\qoobox\ComboFix2.txt<hit enter key>
• The correct log should appear now. Please post back with the results.

------------------------------------------------------------

Your computer is having trouble establishing a new IP with your router/modem.

Have you tried restarting your router/modem?

1. Unplug the power from the router.
2 Unplug the power from the modem.
3. Wait a few minutes before plugging back in the power to the router and modem.
4. Plug the power back into the modem and wait for all the lights to turn green.
5. Plug the power back into the router and wait a minute.
6. Restart your computer.

Does your computer connect to the internet now?

morphidus

Well.... I tried that a couple times just now and it doesn't seem to be working :( . I had my wireless working for 30 minutes yesterday. I right clicked My Computer and clicked manage then device manager, and I enabled something with Broadcom WLAN in its name and my wireless started working perfect. I shut my computer off and the next day when I turned it on the Broadcom WLAN thing was gone from device manager and my wireless didn't work anymore. Here is the combofix2.txt

ComboFix 09-08-10.06 - Administrator 08/15/2009 14:01.2.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1983.1642 [GMT -4:00]
Running from: d:\documents and settings\Administrator\My Documents\Desktop\Combo-Fix.exe
Command switches used :: d:\documents and settings\Administrator\My Documents\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\FOUND.001
c:\found.001\FILE0000.CHK
c:\found.001\FILE0001.CHK
c:\found.001\FILE0002.CHK
c:\found.001\FILE0003.CHK
c:\found.001\FILE0004.CHK
c:\found.001\FILE0005.CHK
c:\found.001\FILE0006.CHK
c:\found.001\FILE0007.CHK
c:\found.001\FILE0008.CHK
c:\found.001\FILE0009.CHK
c:\found.001\FILE0010.CHK
c:\found.001\FILE0011.CHK
c:\found.001\FILE0012.CHK
c:\found.001\FILE0013.CHK
c:\found.001\FILE0014.CHK
c:\found.001\FILE0015.CHK
c:\found.001\FILE0016.CHK
c:\found.001\FILE0017.CHK
c:\found.001\FILE0018.CHK
c:\found.001\FILE0019.CHK
c:\found.001\FILE0020.CHK
c:\found.001\FILE0021.CHK
c:\found.001\FILE0022.CHK
c:\found.001\FILE0023.CHK
c:\found.001\FILE0024.CHK
c:\found.001\FILE0025.CHK
c:\found.001\FILE0026.CHK
c:\found.001\FILE0027.CHK
c:\found.001\FILE0028.CHK
c:\found.001\FILE0029.CHK
c:\found.001\FILE0030.CHK
c:\found.001\FILE0031.CHK
c:\found.001\FILE0032.CHK
c:\found.001\FILE0033.CHK
c:\found.001\FILE0034.CHK
c:\found.001\FILE0035.CHK
c:\found.001\FILE0036.CHK
c:\found.001\FILE0037.CHK
c:\found.001\FILE0038.CHK
c:\found.001\FILE0039.CHK
c:\found.001\FILE0040.CHK
c:\found.001\FILE0041.CHK
c:\found.001\FILE0042.CHK
c:\found.001\FILE0043.CHK
c:\found.001\FILE0044.CHK
c:\found.001\FILE0045.CHK
c:\found.001\FILE0046.CHK
c:\found.001\FILE0047.CHK
c:\found.001\FILE0048.CHK
c:\found.001\FILE0049.CHK
c:\found.001\FILE0050.CHK
c:\found.001\FILE0051.CHK
c:\found.001\FILE0052.CHK
c:\found.001\FILE0053.CHK
c:\found.001\FILE0054.CHK

.
((((((((((((((((((((((((( Files Created from 2009-07-15 to 2009-08-15 )))))))))))))))))))))))))))))))
.

2009-08-15 00:14 . 2009-08-15 00:14 -------- d-----w- c:\program files\Trend Micro
2009-08-12 00:11 . 2009-08-12 00:11 -------- d-----w- c:\windows\system32\drivers\NSS
2009-08-12 00:11 . 2009-08-12 00:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-08-12 00:11 . 2009-08-12 00:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-08-12 00:11 . 2009-08-12 00:11 -------- d-----w- c:\program files\NortonInstaller
2009-08-12 00:11 . 2009-08-12 00:11 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-08-09 17:37 . 2009-08-09 17:37 -------- d-----w- c:\program files\Return to Castle Wolfenstein
2009-07-21 14:50 . 2009-07-21 14:50 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-12 00:10 . 2009-08-12 00:10 1234737 ----a-w- c:\windows\system32\xa.tmp
2009-08-05 13:37 . 2009-04-25 02:45 34 ----a-w- c:\documents and settings\Administrator\jagex_runescape_preferences.dat
2009-08-03 21:36 . 2008-04-21 13:49 10752 ----a-w- c:\windows\system32\JRSKD24.sys
2009-08-03 21:36 . 2007-10-29 00:31 6784 ----a-w- c:\windows\system32\JRSUKD24.sys
2009-07-02 16:35 . 2009-07-02 16:34 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-07-02 16:34 . 2009-07-02 16:34 -------- d-----w- c:\program files\Norton Security Scan
2009-06-21 21:31 . 2009-04-25 03:25 36304 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-16 21:17 . 2009-06-16 21:17 -------- d-----w- c:\program files\TI Education
2009-06-16 21:17 . 2009-06-16 21:17 -------- d-----w- c:\program files\Common Files\TI Shared
2009-06-16 21:16 . 2009-06-16 21:16 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-07 16:38 . 2009-06-07 16:10 35624 ----a-w- c:\windows\DIIUnin.dat
2009-06-07 16:37 . 2009-06-07 16:15 21840 ----a-w- c:\windows\system32\SIntfNT.dll
2009-06-07 16:37 . 2009-06-07 16:15 17212 ----a-w- c:\windows\system32\SIntf32.dll
2009-06-07 16:37 . 2009-06-07 16:15 12067 ----a-w- c:\windows\system32\SIntf16.dll
2009-06-07 16:25 . 2009-06-07 16:25 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-06-07 16:10 . 2009-06-07 16:10 94208 ----a-w- c:\windows\DIIUnin.exe
2009-06-07 16:10 . 2009-06-07 16:10 2829 ----a-w- c:\windows\DIIUnin.pif
2009-06-04 11:37 . 2009-06-04 11:37 499712 ----a-w- c:\windows\system32\msvcp71.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\Administrator\Local Settings\Application Data\Temp ----



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-25 133104]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-10-19 202032]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-21 7581696]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2006-07-27 61952]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57908:TCP"= 57908:TCP:Pando Media Booster
"57908:UDP"= 57908:UDP:Pando Media Booster

S3 JRSKD24;JRSKD24;c:\windows\system32\JRSKD24.sys [4/21/2008 9:49 AM 10752]
S3 JRSUKD24;JRSUKD24;c:\windows\system32\JRSUKD24.sys [10/28/2007 8:31 PM 6784]
S3 libusb0;LibUsb-Win32 - Kernel Driver 11/20/2005, 20051120;c:\windows\system32\drivers\libusb0.sys [5/1/2009 10:48 PM 29184]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EC0E9B94-D859-DE3A-A5D2-BC4FB000CBC0}]
c:\windows\system32\explorer.exe
.
Contents of the 'Scheduled Tasks' folder

2009-08-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-412668190-839522115-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-21 02:13]

2009-08-15 c:\windows\Tasks\Norton Security Scan for Administrator.job
- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.3.0.44\Nss.exe [2009-08-12 00:11]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
DPF: {4ABB12B3-8A8B-481D-874A-93E16F930A8B} - hxxp://www.hangame.com/common/CKKeyProInst.cab
DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} - hxxp://id.hangame.com/common/HanSetup1020.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\l4n3mnbc.default\
FF - prefs.js: browser.startup.homepage - www.g4tv.com
FF - component: c:\program files\Mozilla Firefox\extensions\{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C}\components\DealioToolbarFF.dll
FF - component: c:\program files\Mozilla Firefox\extensions\search@searchsettings.com\components\SearchSettingsFF.dll
FF - plugin: c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-15 14:03
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
Completion time: 2009-08-15 14:03
ComboFix-quarantined-files.txt 2009-08-15 18:03
ComboFix2.txt 2009-08-14 23:57

Pre-Run: 19,248,644,096 bytes free
Post-Run: 19,233,505,280 bytes free

171

forhockey

Go back into device manager.

1. Are there any yellow exclamation marks or red X's under 'Network Adapters'?
2. Have you tried scanning for hardware changes? (Action menu - Scan for hard ware changes)
3. Is the wireless card turned on. Most laptops have an on/off switch which controls whether the device is activated or not.
4. Can you try connecting the computer via wire instead of wireless?

morphidus

Yes there is a yellow exclamation mark under my "1394 Net Adapter #2". I usually use the wire and thats what i get the "limited or no connectivity" from. The wireless switch is on... but maybe there is something wrong with the actual switch itself? The scanning for hardware changes didn't do much either :[

forhockey

This may seem like a silly question but do you normally have the AC adapter plugged into the laptop while it's turned on?

I've seen instances where Windows will save power by turning off power to the network card.

If your Network card shows up in device manager I can give you instructions on how to disable it.

What make and model laptop do you have?
Does your network card show up in device manager? (I know you previously said 'no', but I want you to double check)

morphidus

Yeah I have it charging while its on whenever I try to connect. I dont ALWAYs have it plugged in.. because i hear thats bad for the battery.
Its an HP Presario V6000, and (not sure if they are seperate) the wireless card does not show up.. except for the one time i got it to work, and the other one is there but with a little exclamation mark near it.

forhockey

Can you try plugging in the AC adapter into the computer. Restart the computer and leave it plugged in. Then go back into Device manager and tell me if your Broadcom wireless device is detected.

There are no other devices in Network adapters in Device manager?

PS. 1394 Net Adapter #2 is your firewire adapter.

morphidus

Yes, there is the NVIDIA nForce Networking controller, and more if i click show hidden devices. I tried restarting it with the power on, still no good :(

forhockey

Hi morphidus,

I'm going to have to see this. If you could take a screenshot of Device manager with the list of the contents under 'Network Adapters'. Then transfer it via usb to the working computer and upload it to this post.

Please capture a screenshot and attach it in your next reply.

In Windows a screenshot of the entire monitor, complete with taskbar, can be copied to the system clipboard by pressing the Print screen key (normally located in the top row on the right-hand side of the keyboard)..

You can then paste the clipboard into a program like MS Paint to save it as an image file or paste it directly into a document.

1. Press the Print screen key
2. Click the "Start" button (normally located in the bottom left of your screen).
3. Click "Run" & type "mspaint" (without quotes) & click the "OK" button.
4. Wait while the application "Paint" opens. Once it is open, proceed to the next step.
5. Click the "Edit" menu and select "Paste".
6. Click the "File" menu and select "Save As...". A dialog box will appear.
7. In the "File name" field, enter a name of your choice.
8. Click the "Save as type" drop-down and select "JPEG (*.JPG;*.JPEG;*.JPE*;.JFIF)".
9. Click the "Save" button.


Please attach the screenshots to your post. To attach a file to a new post, simply:

1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page.
2. Click Browse, and navigate to the place where you saved the picture.
3. Click Upload.