email attacks and more that have come back

antman112 · 01-16-2007, 05:03 PM

i had an problem i little while back
http://www.techsupportforum.com/security-center/hijackthis-log-help/129504-e-mails-***-02-a.html#post722421
with 1000s of emails being sent
and you helped me remove it
but it seams it has come back
so i followed the same meford as befor to remove it no luck the E-mails have stoped for the time being but iv had a Backdoor.Fivsec and Infostealer.Bzup alert sence (i think these are gone but i cant be to shure and haveing Infostealer.Bzup on my computer i dont like the idea of atall)
i try to run a clean computer just every now and then one gets in a makes havoc
now iv run AVG 7.5, Norton and Ad-Aware SE befor posting here all found are some cookes (all done 1st)
here is a (was run 3rd see down for more details) HijackThis log
Logfile of HijackThis v1.99.1
Scan saved at 00:00, on 07-01-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Saitek\Software\Profiler.exe
C:\Program Files\Saitek\Software\SaiSmart.exe
C:\Program Files\AGEIA Technologies\TrayIcon.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\TomTom HOME\TomTomHOME.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Antony\My Documents\HELP\files and programs\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {711143B8-DC67-422B-8048-1A3128744F27} - C:\WINDOWS\system32\kpbakpb.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [SaiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [AGEIA PhysX SysTray] C:\Program Files\AGEIA Technologies\TrayIcon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: kgwdacny - C:\WINDOWS\SYSTEM32\kpbakpb.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

and here is a (was run 2nd) Kaspersky scan log (i think i may buy kaspersky as it seams to be far far better than norton (mind you what isint))
KASPERSKY ONLINE SCANNER REPORT
07-01-16 23:58
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 17/01/2007
Kaspersky Anti-Virus database records: 258958
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
Z:\
Scan Statistics
Total number of scanned objects 76798
Number of viruses found 3
Number of infected objects 13 / 0
Number of suspicious objects 0
Duration of the scan process 00:27:46

Infected Object Name Virus Name Last Action
C:\Documents and Settings\Antony\Application Data\Mozilla\Firefox\Profiles\jvn2g7mi.default\cert8.db Object is locked skipped
C:\Documents and Settings\Antony\Application Data\Mozilla\Firefox\Profiles\jvn2g7mi.default\googlesafebrowsing.db Object is locked skipped
C:\Documents and Settings\Antony\Application Data\Mozilla\Firefox\Profiles\jvn2g7mi.default\history.dat Object is locked skipped
C:\Documents and Settings\Antony\Application Data\Mozilla\Firefox\Profiles\jvn2g7mi.default\key3.db Object is locked skipped
C:\Documents and Settings\Antony\Application Data\Mozilla\Firefox\Profiles\jvn2g7mi.default\parent.lock Object is locked skipped
C:\Documents and Settings\Antony\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Antony\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Antony\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Antony\Local Settings\Application Data\Mozilla\Firefox\Profiles\jvn2g7mi.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Antony\Local Settings\Application Data\Mozilla\Firefox\Profiles\jvn2g7mi.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Antony\Local Settings\Application Data\Mozilla\Firefox\Profiles\jvn2g7mi.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Antony\Local Settings\Application Data\Mozilla\Firefox\Profiles\jvn2g7mi.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Antony\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Antony\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\Antony\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Antony\My Documents\HELP\files and programs\backups\backup-20070116-225430-316.dll Infected: Trojan.Win32.Delf.zj skipped
C:\Documents and Settings\Antony\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Antony\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\RECYCLER\NPROTECT\NPROTECT.LOG Object is locked skipped
C:\RECYCLER\S-1-5-21-602162358-152049171-725345543-1003\Dc1 Infected: Trojan.Win32.Delf.zj skipped
C:\RECYCLER\S-1-5-21-602162358-152049171-725345543-1003\Dc2 Infected: Trojan.Win32.Delf.zj skipped
C:\RECYCLER\S-1-5-21-602162358-152049171-725345543-1003\Dc3 Infected: Trojan.Win32.Delf.zj skipped
C:\RECYCLER\S-1-5-21-602162358-152049171-725345543-1003\Dc4 Infected: Trojan.Win32.Delf.zj skipped
C:\RECYCLER\S-1-5-21-602162358-152049171-725345543-1003\Dc5.dll Infected: Trojan.Win32.Delf.zj skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{98E375D0-55B1-444C-8B91-2AE3E96D0C18}\RP1\A0000003.exe Infected: Backdoor.Win32.Small.na skipped
C:\System Volume Information\_restore{98E375D0-55B1-444C-8B91-2AE3E96D0C18}\RP2\A0001476.dll Infected: Trojan.Win32.Delf.zj skipped
C:\System Volume Information\_restore{98E375D0-55B1-444C-8B91-2AE3E96D0C18}\RP2\A0001499.dll Infected: Trojan.Win32.Delf.zj skipped
C:\System Volume Information\_restore{98E375D0-55B1-444C-8B91-2AE3E96D0C18}\RP2\A0001635.EXE Infected: Trojan-Downloader.Win32.Murlo.ex skipped
C:\System Volume Information\_restore{98E375D0-55B1-444C-8B91-2AE3E96D0C18}\RP3\A0001857.dll Infected: Trojan.Win32.Delf.zj skipped
C:\System Volume Information\_restore{98E375D0-55B1-444C-8B91-2AE3E96D0C18}\RP3\A0001876.dll Infected: Trojan.Win32.Delf.zj skipped
C:\System Volume Information\_restore{98E375D0-55B1-444C-8B91-2AE3E96D0C18}\RP8\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edbtmp.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\kpbakpb.dll Infected: Trojan.Win32.Delf.zj skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.

i think these two are something to do wit it
O2 - BHO: (no name) - {711143B8-DC67-422B-8048-1A3128744F27} - C:\WINDOWS\system32\kpbakpb.dll
O20 - Winlogon Notify: kgwdacny - C:\WINDOWS\SYSTEM32\kpbakpb.dll
well think im sure coz i cant remove them but i dont dear mess to much as my brake my system some more

i can not stand this
i can not belive i get a virus in the 1st place
i am soon to format my computer and install vista but befor then id like my to be runing spic and span so i can use it without the worry
you have helped me meny times befor now with my own problems and others i help i respect and love the service you give each time
so i call once more as this is relly buging me (and this will hopefuly be the last time i need to ask someone esle for help

)
im going now befor i get more email attacks
i will come back tomoro
thx you agen

antony

**Pancake** · 01-18-2007, 06:04 PM

Hi.....

Please download the Killbox.

Run Killbox, left click and drag you mouse over the highlighted files below (including filepath) then right click and choose Copy (including filepath) with your mouse, rightclick and choose Copy. Insert your mouse pointer within the box entitled "Full Filepath of File to Delete", rightclick again and choose File > Paste from Clipboard. All the files should now appear in the box (click on the Tab and check to make sure that only the files I have identified as malware and marked for deletion are there). If each file exists, it will appear in blue under that window when you click on it. Click on Delete on Reboot. Next click on > "Delete on Reboot" and click on "All Files". Please do this even if this option is already checked. You will get a message saying "File with be deleted on next reboot, click "Yes". Process and Reboot now?" Click "Yes" to reboot

C:\WINDOWS\SYSTEM32\kpbakpb.dll

Have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes.Confirm that you have only the listed ones checked, then press <Fix checked> and Close HJT.

O2 - BHO: (no name) - {711143B8-DC67-422B-8048-1A3128744F27} - C:\WINDOWS\system32\kpbakpb.dll
O20 - Winlogon Notify: kgwdacny - C:\WINDOWS\SYSTEM32\kpbakpb.dll

Reboot.......................

================================

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:

Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
Once the short scan has finished, Click Options > Change settings
Choose the "Scan tab" and UNcheck "Heuristic analysis"
Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
When done, a message will be displayed at the bottom advising if any viruses were found.
Click "Yes to all" if it asks if you want to cure/move the file.
When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
Save the DrWeb.csv report to your desktop.
Exit Dr.Web Cureit when done.
Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report) also post a new HJT log.

antman112 · 01-19-2007, 04:02 AM

ok
1st killbox

this is what happens when i got to del the file

2nd logs
backup-20070116-225430-316.dll;C:\Documents and Settings\Antony\My Documents\HELP\files and programs\backups;Trojan.Virtumod;Deleted.;
A0001476.dll;C:\System Volume Information\_restore{98E375D0-55B1-444C-8B91-2AE3E96D0C18}\RP2;Trojan.Virtumod;Deleted.;
A0001499.dll;C:\System Volume Information\_restore{98E375D0-55B1-444C-8B91-2AE3E96D0C18}\RP2;Trojan.Virtumod;Deleted.;
A0001857.dll;C:\System Volume Information\_restore{98E375D0-55B1-444C-8B91-2AE3E96D0C18}\RP3;Trojan.Virtumod;Deleted.;
A0001876.dll;C:\System Volume Information\_restore{98E375D0-55B1-444C-8B91-2AE3E96D0C18}\RP3;Trojan.Virtumod;Deleted.;
A0003796.exe;C:\System Volume Information\_restore{98E375D0-55B1-444C-8B91-2AE3E96D0C18}\RP8;Trojan.PWS.GoldSpy;Deleted.;
A0003954.dll;C:\System Volume Information\_restore{98E375D0-55B1-444C-8B91-2AE3E96D0C18}\RP8;Trojan.Virtumod;Deleted.;
A0004272.dll;C:\System Volume Information\_restore{98E375D0-55B1-444C-8B91-2AE3E96D0C18}\RP8;Trojan.Virtumod;Deleted.;

and the HJ log

Logfile of HijackThis v1.99.1
Scan saved at 11:01, on 07-01-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Saitek\Software\Profiler.exe
C:\Program Files\Saitek\Software\SaiSmart.exe
C:\Program Files\AGEIA Technologies\TrayIcon.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\TomTom HOME\TomTomHOME.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Antony\My Documents\HELP\files and programs\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {711143B8-DC67-422B-8048-1A3128744F27} - C:\WINDOWS\system32\kpbakpb.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [SaiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [AGEIA PhysX SysTray] C:\Program Files\AGEIA Technologies\TrayIcon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: kgwdacny - C:\WINDOWS\SYSTEM32\kpbakpb.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

**Pancake** · 01-19-2007, 04:06 PM

Download combofix from here.

**Save it directly to your desktop**

Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

====================

Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.exe.Run the application.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd

Reboot your computer in Safe Mode.
If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
Login on your usual account.

Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection

The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if your computer does not restart automatically please do it yourself manually.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Please post:
c:\rapport.txt
Combofix.txt
A new HijackThis log
Your may need several replies to post the requested logs, otherwise they might get cut off

antman112 · 01-20-2007, 01:29 PM

ok 1 problem
for SmitfraudFix
Not Found
The requested URL /Fix/SmitfraudFix.exe.Run was not found on this server.

Apache/ProXad [Dec 3 2006 11

17] Server at siri.urz.free.fr Port 80

combo fix

"Antony" - 07-01-20 20:27:33 Service Pack 2
ComboFix 07-01-21 - Running from: "C:\Documents and Settings\Antony\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-12-20 to 2007-01-20 ))))))))))))))))))))))))))))))))))

2007-01-20 20:25 <DIR> d-------- C:\WINDOWS\temp
2007-01-19 10:27 <DIR> d-------- C:\DOCUME~1\Antony\DoctorWeb
2007-01-19 10:27 <DIR> d-------- C:\DOCUME~1\Antony\DoctorWeb
2007-01-14 20:49 <DIR> d-------- C:\Program Files\Microsoft Windows Vista Upgrade Advisor
2007-01-09 16:13 <DIR> d-------- C:\Program Files\SEGA
2007-01-05 16:21 <DIR> d-------- C:\!KillBox
2007-01-05 11:32 97,792 --a------ C:\WINDOWS\system32\ntmxhyka.dll
2007-01-05 11:30 78,848 --a------ C:\WINDOWS\system32\pepaaaaa.exe
2007-01-05 11:30 61,440 --a------ C:\WINDOWS\system32\kpbakpb.dll
2007-01-05 11:30 61 --a------ C:\WINDOWS\system32\idhvhri.dll
2007-01-05 11:30 16,384 --a------ C:\WINDOWS\system32\aemqskdo.exe
2007-01-05 11:30 1,042 --a------ C:\WINDOWS\system32\mxdetaaa.exe
2007-01-05 11:30 1,042 --a------ C:\WINDOWS\system32\mtmphbeq.exe
2007-01-02 12:03 <DIR> d-------- C:\Program Files\Virtual Earth 3D
2007-01-02 12:00 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2006-12-28 18:56 <DIR> d-------- C:\Program Files\Common Files\SystemRequirementsLab
2006-12-28 18:56 <DIR> d-------- C:\DOCUME~1\Antony\Application Data\System Requirements Lab
2006-12-25 16:28 <DIR> d-------- C:\Program Files\TomTom HOME
2006-12-25 16:28 <DIR> d-------- C:\DOCUME~1\Antony\Application Data\InstallShield
2006-12-25 14:01 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2006-12-25 14:00 <DIR> d-------- C:\Program Files\Microsoft IntelliType Pro
2006-12-20 11:18 <DIR> d-------- C:\Program Files\Stardock

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-01-20 20:26 -------- d-------- C:\Program Files\Mozilla Firefox
2007-01-20 20:20 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-01-20 20:20 -------- d-------- C:\Program Files\Common Files
2007-01-19 11:42 -------- d-------- C:\DOCUME~1\Antony\Application Data\Xfire
2007-01-19 09:53 -------- d---s---- C:\Program Files\Xfire
2007-01-18 22:08 -------- d-------- C:\Program Files\zprogram counter
2007-01-12 17:56 -------- d-------- C:\Program Files\Norton SystemWorks
2007-01-09 16:13 -------- d--h----- C:\Program Files\InstallShield Installation Information
2007-01-08 22:25 -------- d-------- C:\Program Files\CleanUp!
2007-01-02 12:00 -------- d-------- C:\Program Files\Internet Explorer
2006-12-28 16:31 -------- d---s---- C:\DOCUME~1\Antony\Application Data\Microsoft
2006-12-24 19:30 -------- d-------- C:\Program Files\DivX
2006-12-24 19:27 -------- d-------- C:\DOCUME~1\Antony\Application Data\DivX
2006-12-20 21:30 -------- d-------- C:\Program Files\StarWarsGalaxies
2006-12-19 13:26 -------- d-------- C:\DOCUME~1\Antony\Application Data\Sun
2006-12-12 16:30 520192 --a------ C:\WINDOWS\system32\DivXsm.exe
2006-12-12 16:30 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2006-12-12 16:30 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2006-12-12 16:30 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2006-12-12 16:25 806912 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2006-12-12 16:25 806912 --a------ C:\WINDOWS\system32\divx_xx07.dll
2006-12-12 16:25 790528 --a------ C:\WINDOWS\system32\divx_xx11.dll
2006-12-12 16:25 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2006-12-12 16:25 635486 --a------ C:\WINDOWS\system32\DivX.dll
2006-12-12 16:25 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2006-12-12 16:25 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2006-12-12 16:25 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2006-12-12 16:25 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2006-12-12 16:25 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2006-12-12 16:25 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2006-12-12 16:25 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2006-12-12 16:24 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2006-12-12 16:24 118784 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2006-12-08 22:54 -------- d-------- C:\Program Files\Java
2006-12-08 22:52 -------- d-------- C:\Program Files\Common Files\Java
2006-12-08 10:09 -------- d-------- C:\Program Files\QuickTime
2006-12-08 10:08 -------- d-------- C:\Program Files\MSN Messenger
2006-12-08 10:08 -------- d-------- C:\Program Files\Messenger
2006-12-08 10:03 -------- d-------- C:\Program Files\AGEIA Technologies
2006-12-07 14:30 -------- d-------- C:\Program Files\InterMute
2006-12-07 13:29 -------- d-------- C:\Program Files\Alwil Software
2006-12-07 13:13 -------- d-------- C:\Program Files\GRISOFT
2006-11-28 17:22 -------- d-------- C:\Program Files\Sony
2006-11-24 14:54 81920 --a------ C:\WINDOWS\system32\OpenAL32.dll
2006-11-24 14:54 221184 --a------ C:\WINDOWS\system32\wrap_oal.dll
2006-11-22 14:43 163644 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2006-11-22 13:34 -------- d-------- C:\Program Files\Lionhead Studios
2006-11-21 15:43 -------- d-------- C:\DOCUME~1\Antony\Application Data\teamspeak2
2006-11-15 17:57 139264 --a------ C:\WINDOWS\system32\hpzjrd01.dll
2006-11-10 12:52 8 --a------ C:\DOCUME~1\Antony\Application Data\NMM-MetaData.db
2006-10-22 12:22 888832 --a------ C:\WINDOWS\system32\nvmobls.dll
2006-10-22 12:22 86016 --a------ C:\WINDOWS\system32\nvmctray.dll
2006-10-22 12:22 81920 --a------ C:\WINDOWS\system32\nvwddi.dll
2006-10-22 12:22 794624 --a------ C:\WINDOWS\system32\nvcplui.exe
2006-10-22 12:22 7700480 --a------ C:\WINDOWS\system32\nvcpl.dll
2006-10-22 12:22 581632 --a------ C:\WINDOWS\system32\nvhwvid.dll
2006-10-22 12:22 5644288 --a------ C:\WINDOWS\system32\nvoglnt.dll
2006-10-22 12:22 5619712 --a------ C:\WINDOWS\system32\nvdisps.dll
2006-10-22 12:22 5255168 --a------ C:\WINDOWS\system32\nvdispsr.dll
2006-10-22 12:22 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2006-10-22 12:22 458752 --a------ C:\WINDOWS\system32\nvmccssr.dll
2006-10-22 12:22 4527488 --a------ C:\WINDOWS\system32\nv4_disp.dll
2006-10-22 12:22 45056 --a------ C:\WINDOWS\system32\nvmccsrs.dll
2006-10-22 12:22 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2006-10-22 12:22 425984 --a------ C:\WINDOWS\system32\keystone.exe
2006-10-22 12:22 35840 --a------ C:\WINDOWS\system32\nvcodins.dll
2006-10-22 12:22 35840 --a------ C:\WINDOWS\system32\nvcod.dll
2006-10-22 12:22 3203072 --a------ C:\WINDOWS\system32\nvgamesr.dll
2006-10-22 12:22 311296 --a------ C:\WINDOWS\system32\nvexpbar.dll
2006-10-22 12:22 3047424 --a------ C:\WINDOWS\system32\nvgames.dll
2006-10-22 12:22 2973696 --a------ C:\WINDOWS\system32\nvvitvsr.dll
2006-10-22 12:22 2924544 --a------ C:\WINDOWS\system32\nvvitvs.dll
2006-10-22 12:22 286720 --a------ C:\WINDOWS\system32\nvnt4cpl.dll
2006-10-22 12:22 2859008 --a------ C:\WINDOWS\system32\nvmoblsr.dll
2006-10-22 12:22 229376 --a------ C:\WINDOWS\system32\nvmccs.dll
2006-10-22 12:22 212992 --a------ C:\WINDOWS\system32\nvapi.dll
2006-10-22 12:22 188416 --a------ C:\WINDOWS\system32\nvmccss.dll
2006-10-22 12:22 1732608 --a------ C:\WINDOWS\system32\nvwssr.dll
2006-10-22 12:22 1662976 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2006-10-22 12:22 1622016 --a------ C:\WINDOWS\system32\nwiz.exe
2006-10-22 12:22 159810 --a------ C:\WINDOWS\system32\nvsvc32.exe
2006-10-22 12:22 147456 --a------ C:\WINDOWS\system32\nvcolor.exe
2006-10-22 12:22 1470464 --a------ C:\WINDOWS\system32\nview.dll
2006-10-22 12:22 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2006-10-22 12:22 1236992 --a------ C:\WINDOWS\system32\nvwss.dll
2006-10-22 12:22 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
2006-10-22 12:22 1011712 --a------ C:\WINDOWS\system32\nvcpluir.dll
2006-10-05 04:55 62 --ahs---- C:\DOCUME~1\Antony\Application Data\desktop.ini

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Steam"="C:\\Program Files\\Valve\\Steam\\\\Steam.exe -silent"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMan"="SOUNDMAN.EXE"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"ccApp"="C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"
"ccRegVfy"="C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe"
"GhostStartTrayApp"="C:\\Program Files\\Norton SystemWorks\\Norton Ghost\\GhostStartTrayApp.exe"
"Profiler"="C:\\Program Files\\Saitek\\Software\\Profiler.exe"
"SaiSmart"="C:\\Program Files\\Saitek\\Software\\SaiSmart.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"AGEIA PhysX SysTray"="C:\\Program Files\\AGEIA Technologies\\TrayIcon.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"PCSuiteTrayApplication"="C:\\PROGRA~1\\Nokia\\NOKIAP~1\\LAUNCH~1.EXE -startup"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"type32"="\"C:\\Program Files\\Microsoft IntelliType Pro\\type32.exe\""
"TomTomHOME.exe"="\"C:\\Program Files\\TomTom HOME\\TomTomHOME.exe\" -s"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,e6,00,00,00,00,00,00,00,9a,03,00,00,42,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,e6,00,00,00,00,00,00,00,9a,03,00,00,42,03,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,e6,00,00,00,00,00,00,00,9a,03,00,00,42,03,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"="C:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"ALUAlert"="C:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{3E898EEA-FEFA-451b-ACF2-7561F94B1191}"="gkj"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
C:\WINDOWS\tasks\Norton SystemWorks One Button Checkup.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 07-01-20 20:27:55.15
C:\ComboFix2.txt ... 07-01-20 20:25
C:\ComboFix3.txt ... 07-01-08 22:22
C:\ComboFix4.txt ... 07-01-08 22:23

HJ log

Logfile of HijackThis v1.99.1
Scan saved at 20:28, on 07-01-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Saitek\Software\Profiler.exe
C:\Program Files\Saitek\Software\SaiSmart.exe
C:\Program Files\AGEIA Technologies\TrayIcon.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\TomTom HOME\TomTomHOME.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Antony\My Documents\HELP\files and programs\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {711143B8-DC67-422B-8048-1A3128744F27} - C:\WINDOWS\system32\kpbakpb.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [SaiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [AGEIA PhysX SysTray] C:\Program Files\AGEIA Technologies\TrayIcon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: kgwdacny - C:\WINDOWS\SYSTEM32\kpbakpb.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

**Pancake** · 01-20-2007, 04:29 PM

Open notepad and copy/paste the text in the quotebox below into it:

Code:

@echo off
For %%g in (
C:\WINDOWS\system32\ntmxhyka.dll
 C:\WINDOWS\system32\pepaaaaa.exe
 C:\WINDOWS\system32\kpbakpb.dll
C:\WINDOWS\system32\idhvhri.dll
 C:\WINDOWS\system32\aemqskdo.exe
C:\WINDOWS\system32\mxdetaaa.exe
C:\WINDOWS\system32\mtmphbeq.exe
) do del /a/f %%g >nul 2>&1

rd /s/q C:\WINDOWS\wwzm >nul 2>&1
rd /s/q "C:\Program Files\Common Files\wwzm" >nul 2>&1
rd /s/q "C:\Program Files\pPatch~1" >nul 2>&1
rd /s/q "C:\Program Files\VSAdd-in" >nul 2>&1
cls 
echo.Done!!
pause
exit

Save this as fix.bat Choose to "Save type as - All Files"

Double click on fix.bat & allow it to run

Reboot and run the Combofix and post its log.....

antman112 · 01-21-2007, 09:59 AM

hummn
did what you said

"Antony" - 07-01-21 16:58:00 Service Pack 2
ComboFix 07-01-21 - Running from: "C:\Documents and Settings\Antony\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-12-21 to 2007-01-21 ))))))))))))))))))))))))))))))))))

2007-01-21 16:57 <DIR> d-------- C:\WINDOWS\temp
2007-01-19 10:27 <DIR> d-------- C:\DOCUME~1\Antony\DoctorWeb
2007-01-19 10:27 <DIR> d-------- C:\DOCUME~1\Antony\DoctorWeb
2007-01-14 20:49 <DIR> d-------- C:\Program Files\Microsoft Windows Vista Upgrade Advisor
2007-01-09 16:13 <DIR> d-------- C:\Program Files\SEGA
2007-01-05 16:21 <DIR> d-------- C:\!KillBox
2007-01-05 11:32 97,792 --a------ C:\WINDOWS\system32\ntmxhyka.dll
2007-01-05 11:30 61,440 --a------ C:\WINDOWS\system32\kpbakpb.dll
2007-01-02 12:03 <DIR> d-------- C:\Program Files\Virtual Earth 3D
2007-01-02 12:00 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2006-12-28 18:56 <DIR> d-------- C:\Program Files\Common Files\SystemRequirementsLab
2006-12-28 18:56 <DIR> d-------- C:\DOCUME~1\Antony\Application Data\System Requirements Lab
2006-12-25 16:28 <DIR> d-------- C:\Program Files\TomTom HOME
2006-12-25 16:28 <DIR> d-------- C:\DOCUME~1\Antony\Application Data\InstallShield
2006-12-25 14:01 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2006-12-25 14:00 <DIR> d-------- C:\Program Files\Microsoft IntelliType Pro

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-01-21 16:53 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-01-21 16:53 -------- d-------- C:\Program Files\Common Files
2007-01-21 16:44 -------- d-------- C:\Program Files\Mozilla Firefox
2007-01-20 21:48 -------- d-------- C:\Program Files\zprogram counter
2007-01-19 11:42 -------- d-------- C:\DOCUME~1\Antony\Application Data\Xfire
2007-01-19 09:53 -------- d---s---- C:\Program Files\Xfire
2007-01-12 17:56 -------- d-------- C:\Program Files\Norton SystemWorks
2007-01-09 16:13 -------- d--h----- C:\Program Files\InstallShield Installation Information
2007-01-08 22:25 -------- d-------- C:\Program Files\CleanUp!
2007-01-02 12:00 -------- d-------- C:\Program Files\Internet Explorer
2006-12-28 16:31 -------- d---s---- C:\DOCUME~1\Antony\Application Data\Microsoft
2006-12-24 19:30 -------- d-------- C:\Program Files\DivX
2006-12-24 19:27 -------- d-------- C:\DOCUME~1\Antony\Application Data\DivX
2006-12-20 21:30 -------- d-------- C:\Program Files\StarWarsGalaxies
2006-12-20 11:18 -------- d-------- C:\Program Files\Stardock
2006-12-19 13:26 -------- d-------- C:\DOCUME~1\Antony\Application Data\Sun
2006-12-12 16:30 520192 --a------ C:\WINDOWS\system32\DivXsm.exe
2006-12-12 16:30 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2006-12-12 16:30 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2006-12-12 16:30 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2006-12-12 16:25 806912 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2006-12-12 16:25 806912 --a------ C:\WINDOWS\system32\divx_xx07.dll
2006-12-12 16:25 790528 --a------ C:\WINDOWS\system32\divx_xx11.dll
2006-12-12 16:25 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2006-12-12 16:25 635486 --a------ C:\WINDOWS\system32\DivX.dll
2006-12-12 16:25 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2006-12-12 16:25 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2006-12-12 16:25 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2006-12-12 16:25 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2006-12-12 16:25 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2006-12-12 16:25 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2006-12-12 16:25 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2006-12-12 16:24 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2006-12-12 16:24 118784 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2006-12-08 22:54 -------- d-------- C:\Program Files\Java
2006-12-08 22:52 -------- d-------- C:\Program Files\Common Files\Java
2006-12-08 10:09 -------- d-------- C:\Program Files\QuickTime
2006-12-08 10:08 -------- d-------- C:\Program Files\MSN Messenger
2006-12-08 10:08 -------- d-------- C:\Program Files\Messenger
2006-12-08 10:03 -------- d-------- C:\Program Files\AGEIA Technologies
2006-12-07 14:30 -------- d-------- C:\Program Files\InterMute
2006-12-07 13:29 -------- d-------- C:\Program Files\Alwil Software
2006-12-07 13:13 -------- d-------- C:\Program Files\GRISOFT
2006-11-28 17:22 -------- d-------- C:\Program Files\Sony
2006-11-24 14:54 81920 --a------ C:\WINDOWS\system32\OpenAL32.dll
2006-11-24 14:54 221184 --a------ C:\WINDOWS\system32\wrap_oal.dll
2006-11-22 14:43 163644 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2006-11-22 13:34 -------- d-------- C:\Program Files\Lionhead Studios
2006-11-21 15:43 -------- d-------- C:\DOCUME~1\Antony\Application Data\teamspeak2
2006-11-15 17:57 139264 --a------ C:\WINDOWS\system32\hpzjrd01.dll
2006-11-10 12:52 8 --a------ C:\DOCUME~1\Antony\Application Data\NMM-MetaData.db
2006-10-22 12:22 888832 --a------ C:\WINDOWS\system32\nvmobls.dll
2006-10-22 12:22 86016 --a------ C:\WINDOWS\system32\nvmctray.dll
2006-10-22 12:22 81920 --a------ C:\WINDOWS\system32\nvwddi.dll
2006-10-22 12:22 794624 --a------ C:\WINDOWS\system32\nvcplui.exe
2006-10-22 12:22 7700480 --a------ C:\WINDOWS\system32\nvcpl.dll
2006-10-22 12:22 581632 --a------ C:\WINDOWS\system32\nvhwvid.dll
2006-10-22 12:22 5644288 --a------ C:\WINDOWS\system32\nvoglnt.dll
2006-10-22 12:22 5619712 --a------ C:\WINDOWS\system32\nvdisps.dll
2006-10-22 12:22 5255168 --a------ C:\WINDOWS\system32\nvdispsr.dll
2006-10-22 12:22 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2006-10-22 12:22 458752 --a------ C:\WINDOWS\system32\nvmccssr.dll
2006-10-22 12:22 4527488 --a------ C:\WINDOWS\system32\nv4_disp.dll
2006-10-22 12:22 45056 --a------ C:\WINDOWS\system32\nvmccsrs.dll
2006-10-22 12:22 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2006-10-22 12:22 425984 --a------ C:\WINDOWS\system32\keystone.exe
2006-10-22 12:22 35840 --a------ C:\WINDOWS\system32\nvcodins.dll
2006-10-22 12:22 35840 --a------ C:\WINDOWS\system32\nvcod.dll
2006-10-22 12:22 3203072 --a------ C:\WINDOWS\system32\nvgamesr.dll
2006-10-22 12:22 311296 --a------ C:\WINDOWS\system32\nvexpbar.dll
2006-10-22 12:22 3047424 --a------ C:\WINDOWS\system32\nvgames.dll
2006-10-22 12:22 2973696 --a------ C:\WINDOWS\system32\nvvitvsr.dll
2006-10-22 12:22 2924544 --a------ C:\WINDOWS\system32\nvvitvs.dll
2006-10-22 12:22 286720 --a------ C:\WINDOWS\system32\nvnt4cpl.dll
2006-10-22 12:22 2859008 --a------ C:\WINDOWS\system32\nvmoblsr.dll
2006-10-22 12:22 229376 --a------ C:\WINDOWS\system32\nvmccs.dll
2006-10-22 12:22 212992 --a------ C:\WINDOWS\system32\nvapi.dll
2006-10-22 12:22 188416 --a------ C:\WINDOWS\system32\nvmccss.dll
2006-10-22 12:22 1732608 --a------ C:\WINDOWS\system32\nvwssr.dll
2006-10-22 12:22 1662976 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2006-10-22 12:22 1622016 --a------ C:\WINDOWS\system32\nwiz.exe
2006-10-22 12:22 159810 --a------ C:\WINDOWS\system32\nvsvc32.exe
2006-10-22 12:22 147456 --a------ C:\WINDOWS\system32\nvcolor.exe
2006-10-22 12:22 1470464 --a------ C:\WINDOWS\system32\nview.dll
2006-10-22 12:22 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2006-10-22 12:22 1236992 --a------ C:\WINDOWS\system32\nvwss.dll
2006-10-22 12:22 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
2006-10-22 12:22 1011712 --a------ C:\WINDOWS\system32\nvcpluir.dll
2006-10-05 04:55 62 --ahs---- C:\DOCUME~1\Antony\Application Data\desktop.ini

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Steam"="C:\\Program Files\\Valve\\Steam\\\\Steam.exe -silent"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMan"="SOUNDMAN.EXE"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"ccApp"="C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"
"ccRegVfy"="C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe"
"GhostStartTrayApp"="C:\\Program Files\\Norton SystemWorks\\Norton Ghost\\GhostStartTrayApp.exe"
"Profiler"="C:\\Program Files\\Saitek\\Software\\Profiler.exe"
"SaiSmart"="C:\\Program Files\\Saitek\\Software\\SaiSmart.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"AGEIA PhysX SysTray"="C:\\Program Files\\AGEIA Technologies\\TrayIcon.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"PCSuiteTrayApplication"="C:\\PROGRA~1\\Nokia\\NOKIAP~1\\LAUNCH~1.EXE -startup"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"type32"="\"C:\\Program Files\\Microsoft IntelliType Pro\\type32.exe\""
"TomTomHOME.exe"="\"C:\\Program Files\\TomTom HOME\\TomTomHOME.exe\" -s"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,e6,00,00,00,00,00,00,00,9a,03,00,00,42,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,e6,00,00,00,00,00,00,00,9a,03,00,00,42,03,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,e6,00,00,00,00,00,00,00,9a,03,00,00,42,03,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"="C:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"ALUAlert"="C:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{3E898EEA-FEFA-451b-ACF2-7561F94B1191}"="gkj"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
C:\WINDOWS\tasks\Norton SystemWorks One Button Checkup.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 07-01-21 16:58:22.60
C:\ComboFix2.txt ... 07-01-21 16:56
C:\ComboFix3.txt ... 07-01-20 20:27
C:\ComboFix4.txt ... 07-01-08 22:23
C:\ComboFix5.txt ... 07-01-20 20:28

**Pancake** · 01-21-2007, 04:14 PM

Hi...

Please download The Avenger to your Desktop and unzip it.

Copy all the text contained in the code box below ( including the words "files to delete" ) by highlighting it and right clicking and selecting "Copy"

Quote:

Files to delete:
C:\WINDOWS\system32\ntmxhyka.dll
C:\WINDOWS\system32\kpbakpb.dll

Now, start The Avenger program by clicking on its icon on your desktop. Look under "Script file to execute" and click on "Input Script Manually". Next click on the Magnifying Glass icon and a blank dialogue box will open called "View/Edit script". Position your mouse inside the box, rightclick and choose Paste. All the text above in the code box should now appear there. Click Done and click on the Green Light to begin execution of the script. Answer "Yes" twice when prompted.

The Avenger will restart your computer. (if the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)

When you have rebooted, a black command window briefly opens on your desktop, this is normal. A logfile will be created that records all actions that The Avenger performed. This log file is saved to C:\avenger.txt. The deleted files will be backed up and saved to C:\avenger\backup.zip.

Once your computer has rebooted, please post back the contents of C:\avenger.txt, a new Hijack This log.

antman112 · 01-22-2007, 09:08 AM

ok here we go
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\opmojugg

*******************

Script file located at: \??\C:\cadhlhui.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\ntmxhyka.dll deleted successfully.
File C:\WINDOWS\system32\kpbakpb.dll deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

and

Logfile of HijackThis v1.99.1
Scan saved at 16:08, on 07-01-22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Saitek\Software\Profiler.exe
C:\Program Files\Saitek\Software\SaiSmart.exe
C:\Program Files\AGEIA Technologies\TrayIcon.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\TomTom HOME\TomTomHOME.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Xfire\Xfire.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\Documents and Settings\Antony\My Documents\HELP\files and programs\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {711143B8-DC67-422B-8048-1A3128744F27} - C:\WINDOWS\system32\kpbakpb.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [SaiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [AGEIA PhysX SysTray] C:\Program Files\AGEIA Technologies\TrayIcon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: kgwdacny - kpbakpb.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

(file missing) thats a new one on me

**Pancake** · 01-22-2007, 04:12 PM

Ok.Last bit to do....Remove these from the log and that should have you all back to normal...

O2 - BHO: (no name) - {711143B8-DC67-422B-8048-1A3128744F27} - C:\WINDOWS\system32\kpbakpb.dll (file missing)
O20 - Winlogon Notify: kgwdacny - kpbakpb.dll (file missing)

If you wish to do so, here are a few things that you can do that will help keep your computer a bit more clean and secure..

If you have not already done so, you might want to run Disk Cleanup and run it in each user's profile:

Run Disk Cleanup
Click "Start > Programs > Accessories > System Tools > Disk Cleanup"
Please make sure the following are checked:
-- Downloaded Program Files
-- Temporary Internet Files
-- Recycle Bin
-- Temporary Files
Click "OK" and Disk Cleanup will delete those files for you.

Now that you are clean its now is a good time to flush out your restored files.

To flush the XP System Restore Points:
(Using XP, you must be logged in as Administrator to do this.)
Go to Start>Run and type msconfig Press enter.
When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings Link on the left.
Check the box labeled Turn Off System Restore.

Reboot. Go back in and turn System Restore ON. A new Restore Point will be created.

How Do I Protect My Computer Against Future Malware Now I'm Clean.

NOTE:You may have already taken some of these steps.

Update your anti-virus software & Windows operating system on a daily or weekly basis. Microsoft also distributes updates to its operating systems. These updates fix security holes or other problems that make a computer susceptible to security breaches. How to update your Windows operating system

Know What You're Installing
Check the source.
To avoid malware, make sure your software comes from a reputable source. Be particularly suspicious of sponsored software (software that relies on advertising) or software that claims to speed up your Internet connection.

Use Custom Install.
If you feel comfortable with software installation, you can choose Custom Install (as opposed to Typical Install). Custom Install allows you to select only the software components you wish to install, and leave out others (such as potential spyware).

Modify Security Settings (Internet Explorer 6)
To reduce the risk of installing malware, you can set Internet Explorer to high security mode. To do so:

Open Internet Explorer. Go to Tools > Internet Options….
On the Internet Options screen, select the Security tab, then select the Internet icon (if it is not already selected).
Under Security level for this zone, click Default Level. Set the slider to High.
Note: You may have to lower the security level to view certain Web sites.
Next, select the Trusted Sites icon. Under Security level for this zone, click Default Level. Set the slider to Medium.
Click Apply, then OK to save the changes.

Some Recommended Protection Programs

Each tool has its own strengths for identifying and removing specific types of malware. To thoroughly check your computer, its recommend that you use more than one malware removal program. Don't forget to back up your data files before starting a scan!

Some available programs are:

Ad-Aware
SpyBot Search & Destroy

Now that you are clean, to help protect your system I recommend that you get the following free programs:
SpywareBlaster to help prevent spyware from installing.
SpywareGuard to catch and block spyware .
IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
WinPatrol to monitor any changes that programs make to the registry.

If you do not have a firewall, here is a free one for personal use:

ZoneAlarm
http://www.zonelabs.com/store/conten..._freedownloads
http://www.zonelabs.com/store/conten...g=en&lid=ho_za

Before using or purchasing any Spyware/Malware protection/removal program, always check the Rogue/Suspect Spyware List. It will save you a lot of grief, as well as money if you are thinking of purchasing. Here is the link:

http://www.spywarewarrior.com/rogue_anti-spyware.htm
If you want to know just how effective your anti-spyware program is, or how well any of the "rogue" programs listed at the above link work, check this for an independent comparison of several anti-spyware programs:

http://www.spywarewarrior.com/asw-test-guide.htm

Here is a helpful article:
"So how did I get infected in the first place?"

http://computercops.biz/postlite7736-.html

http://www.pchelpforum.com/tutorials...t-your-pc.html

Let us know if we have not resolved your problem. Otherwise, you are good to go.
Happy and Safe Surfing!

antman112 · 01-23-2007, 08:19 AM

eveything is removed now
and system is working as it did the day i built it
thx you for your help
this is the last time im going to let this happen iv up my security and am updateding soon

thx you for your help
each time i come here i see more of the overwellming skill you people have
thx agen

**Pancake** · 01-23-2007, 04:29 PM

Ok.Glad it all fine.

01-16-2007, 05:03 PM	#1 (permalink)
antman112 Registered User Join Date: Dec 2005 Posts: 25 OS: XP pro	email attacks and more that have come back i had an problem i little while back http://www.techsupportforum.com/security-center/hijackthis-log-help/129504-e-mails-***-02-a.html#post722421 with 1000s of emails being sent and you helped me remove it but it seams it has come back so i followed the same meford as befor to remove it no luck the E-mails have stoped for the time being but iv had a Backdoor.Fivsec and Infostealer.Bzup alert sence (i think these are gone but i cant be to shure and haveing Infostealer.Bzup on my computer i dont like the idea of atall) i try to run a clean computer just every now and then one gets in a makes havoc now iv run AVG 7.5, Norton and Ad-Aware SE befor posting here all found are some cookes (all done 1st) here is a (was run 3rd see down for more details) HijackThis log Logfile of HijackThis v1.99.1 Scan saved at 00:00, on 07-01-17 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\HPZipm12.exe C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe C:\Program Files\Saitek\Software\Profiler.exe C:\Program Files\Saitek\Software\SaiSmart.exe C:\Program Files\AGEIA Technologies\TrayIcon.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe C:\Program Files\Microsoft IntelliType Pro\type32.exe C:\Program Files\TomTom HOME\TomTomHOME.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Antony\My Documents\HELP\files and programs\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {711143B8-DC67-422B-8048-1A3128744F27} - C:\WINDOWS\system32\kpbakpb.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe O4 - HKLM\..\Run: [SaiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [AGEIA PhysX SysTray] C:\Program Files\AGEIA Technologies\TrayIcon.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe" O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: kgwdacny - C:\WINDOWS\SYSTEM32\kpbakpb.dll O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe and here is a (was run 2nd) Kaspersky scan log (i think i may buy kaspersky as it seams to be far far better than norton (mind you what isint)) KASPERSKY ONLINE SCANNER REPORT 07-01-16 23:58 Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.83.0 Kaspersky Anti-Virus database last update: 17/01/2007 Kaspersky Anti-Virus database records: 258958 Scan Settings Scan using the following antivirus database extended Scan Archives true Scan Mail Bases true Scan Target My Computer A:\ C:\ D:\ Z:\ Scan Statistics Total number of scanned objects 76798 Number of viruses found 3 Number of infected objects 13 / 0 Number of suspicious objects 0 Duration of the scan process 00:27:46 Infected Object Name Virus Name Last Action C:\Documents and Settings\Antony\Application Data\Mozilla\Firefox\Profiles\jvn2g7mi.default\cert8.db Object is locked skipped C:\Documents and Settings\Antony\Application Data\Mozilla\Firefox\Profiles\jvn2g7mi.default\googlesafebrowsing.db Object is locked skipped C:\Documents and Settings\Antony\Application Data\Mozilla\Firefox\Profiles\jvn2g7mi.default\history.dat Object is locked skipped C:\Documents and Settings\Antony\Application Data\Mozilla\Firefox\Profiles\jvn2g7mi.default\key3.db Object is locked skipped C:\Documents and Settings\Antony\Application Data\Mozilla\Firefox\Profiles\jvn2g7mi.default\parent.lock Object is locked skipped C:\Documents and Settings\Antony\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Antony\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Antony\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Antony\Local Settings\Application Data\Mozilla\Firefox\Profiles\jvn2g7mi.default\Cache\_CACHE_001_ Object is locked skipped C:\Documents and Settings\Antony\Local Settings\Application Data\Mozilla\Firefox\Profiles\jvn2g7mi.default\Cache\_CACHE_002_ Object is locked skipped C:\Documents and Settings\Antony\Local Settings\Application Data\Mozilla\Firefox\Profiles\jvn2g7mi.default\Cache\_CACHE_003_ Object is locked skipped C:\Documents and Settings\Antony\Local Settings\Application Data\Mozilla\Firefox\Profiles\jvn2g7mi.default\Cache\_CACHE_MAP_ Object is locked skipped C:\Documents and Settings\Antony\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Antony\Local Settings\Temp\hpodvd09.log Object is locked skipped C:\Documents and Settings\Antony\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Antony\My Documents\HELP\files and programs\backups\backup-20070116-225430-316.dll Infected: Trojan.Win32.Delf.zj skipped C:\Documents and Settings\Antony\NTUSER.DAT Object is locked skipped C:\Documents and Settings\Antony\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Program Files\Norton SystemWorks\Norton AntiVirus\AVApp.log Object is locked skipped C:\Program Files\Norton SystemWorks\Norton AntiVirus\AVError.log Object is locked skipped C:\Program Files\Norton SystemWorks\Norton AntiVirus\AVVirus.log Object is locked skipped C:\RECYCLER\NPROTECT\NPROTECT.LOG Object is locked skipped C:\RECYCLER\S-1-5-21-602162358-152049171-725345543-1003\Dc1 Infected: Trojan.Win32.Delf.zj skipped C:\RECYCLER\S-1-5-21-602162358-152049171-725345543-1003\Dc2 Infected: Trojan.Win32.Delf.zj skipped C:\RECYCLER\S-1-5-21-602162358-152049171-725345543-1003\Dc3 Infected: Trojan.Win32.Delf.zj skipped C:\RECYCLER\S-1-5-21-602162358-152049171-725345543-1003\Dc4 Infected: Trojan.Win32.Delf.zj skipped C:\RECYCLER\S-1-5-21-602162358-152049171-725345543-1003\Dc5.dll Infected: Trojan.Win32.Delf.zj skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{98E375D0-55B1-444C-8B91-2AE3E96D0C18}\RP1\A0000003.exe Infected: Backdoor.Win32.Small.na skipped C:\System Volume Information\_restore{98E375D0-55B1-444C-8B91-2AE3E96D0C18}\RP2\A0001476.dll Infected: Trojan.Win32.Delf.zj skipped C:\System Volume Information\_restore{98E375D0-55B1-444C-8B91-2AE3E96D0C18}\RP2\A0001499.dll Infected: Trojan.Win32.Delf.zj skipped C:\System Volume Information\_restore{98E375D0-55B1-444C-8B91-2AE3E96D0C18}\RP2\A0001635.EXE Infected: Trojan-Downloader.Win32.Murlo.ex skipped C:\System Volume Information\_restore{98E375D0-55B1-444C-8B91-2AE3E96D0C18}\RP3\A0001857.dll Infected: Trojan.Win32.Delf.zj skipped C:\System Volume Information\_restore{98E375D0-55B1-444C-8B91-2AE3E96D0C18}\RP3\A0001876.dll Infected: Trojan.Win32.Delf.zj skipped C:\System Volume Information\_restore{98E375D0-55B1-444C-8B91-2AE3E96D0C18}\RP8\change.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edbtmp.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\kpbakpb.dll Infected: Trojan.Win32.Delf.zj skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped Scan process completed. i think these two are something to do wit it O2 - BHO: (no name) - {711143B8-DC67-422B-8048-1A3128744F27} - C:\WINDOWS\system32\kpbakpb.dll O20 - Winlogon Notify: kgwdacny - C:\WINDOWS\SYSTEM32\kpbakpb.dll well think im sure coz i cant remove them but i dont dear mess to much as my brake my system some more i can not stand this i can not belive i get a virus in the 1st place i am soon to format my computer and install vista but befor then id like my to be runing spic and span so i can use it without the worry you have helped me meny times befor now with my own problems and others i help i respect and love the service you give each time so i call once more as this is relly buging me (and this will hopefuly be the last time i need to ask someone esle for help ) im going now befor i get more email attacks i will come back tomoro thx you agen antony __________________ im dyslexic so sorry for any speeling misstkes

01-18-2007, 06:04 PM	#2 (permalink)
Pancake Security Team (ret.) Join Date: Nov 2003 Location: Victoria.Australia Posts: 7,404 OS: XP Pro SP3	Hi..... Please download the Killbox. Run Killbox, left click and drag you mouse over the highlighted files below (including filepath) then right click and choose Copy (including filepath) with your mouse, rightclick and choose Copy. Insert your mouse pointer within the box entitled "Full Filepath of File to Delete", rightclick again and choose File > Paste from Clipboard. All the files should now appear in the box (click on the Tab and check to make sure that only the files I have identified as malware and marked for deletion are there). If each file exists, it will appear in blue under that window when you click on it. Click on Delete on Reboot. Next click on > "Delete on Reboot" and click on "All Files". Please do this even if this option is already checked. You will get a message saying "File with be deleted on next reboot, click "Yes". Process and Reboot now?" Click "Yes" to reboot C:\WINDOWS\SYSTEM32\kpbakpb.dll Have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes.Confirm that you have only the listed ones checked, then press <Fix checked> and Close HJT. O2 - BHO: (no name) - {711143B8-DC67-422B-8048-1A3128744F27} - C:\WINDOWS\system32\kpbakpb.dll O20 - Winlogon Notify: kgwdacny - C:\WINDOWS\SYSTEM32\kpbakpb.dll Reboot....................... ================================ Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet. Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". Scan with DrWeb-CureIt as follows: Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear. Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes* button when it asks you if you want to cure it.* Once the short scan has finished, Click Options > Change settings Choose the "Scan tab" and UNcheck "Heuristic analysis" Back at the main window, click "Select drives" (a red dot will show which drives have been chosen) Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start. When done, a message will be displayed at the bottom advising if any viruses were found. Click "Yes to all" if it asks if you want to cure/move the file. When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable". (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured) Next, in the Dr.Web CureIt menu on top, click file and choose save report list. Save the DrWeb.csv report to your desktop. Exit Dr.Web Cureit when done. Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot. After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report) also post a new HJT log. __________________ Eddy

01-19-2007, 04:02 AM	#3 (permalink)
antman112 Registered User Join Date: Dec 2005 Posts: 25 OS: XP pro	ok 1st killbox this is what happens when i got to del the file 2nd logs backup-20070116-225430-316.dll;C:\Documents and Settings\Antony\My Documents\HELP\files and programs\backups;Trojan.Virtumod;Deleted.; A0001476.dll;C:\System Volume Information\_restore{98E375D0-55B1-444C-8B91-2AE3E96D0C18}\RP2;Trojan.Virtumod;Deleted.; A0001499.dll;C:\System Volume Information\_restore{98E375D0-55B1-444C-8B91-2AE3E96D0C18}\RP2;Trojan.Virtumod;Deleted.; A0001857.dll;C:\System Volume Information\_restore{98E375D0-55B1-444C-8B91-2AE3E96D0C18}\RP3;Trojan.Virtumod;Deleted.; A0001876.dll;C:\System Volume Information\_restore{98E375D0-55B1-444C-8B91-2AE3E96D0C18}\RP3;Trojan.Virtumod;Deleted.; A0003796.exe;C:\System Volume Information\_restore{98E375D0-55B1-444C-8B91-2AE3E96D0C18}\RP8;Trojan.PWS.GoldSpy;Deleted.; A0003954.dll;C:\System Volume Information\_restore{98E375D0-55B1-444C-8B91-2AE3E96D0C18}\RP8;Trojan.Virtumod;Deleted.; A0004272.dll;C:\System Volume Information\_restore{98E375D0-55B1-444C-8B91-2AE3E96D0C18}\RP8;Trojan.Virtumod;Deleted.; and the HJ log Logfile of HijackThis v1.99.1 Scan saved at 11:01, on 07-01-19 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe C:\Program Files\Saitek\Software\Profiler.exe C:\Program Files\Saitek\Software\SaiSmart.exe C:\Program Files\AGEIA Technologies\TrayIcon.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe C:\Program Files\Microsoft IntelliType Pro\type32.exe C:\Program Files\TomTom HOME\TomTomHOME.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\Program Files\Valve\Steam\Steam.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Xfire\Xfire.exe C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Antony\My Documents\HELP\files and programs\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {711143B8-DC67-422B-8048-1A3128744F27} - C:\WINDOWS\system32\kpbakpb.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe O4 - HKLM\..\Run: [SaiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [AGEIA PhysX SysTray] C:\Program Files\AGEIA Technologies\TrayIcon.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe" O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: kgwdacny - C:\WINDOWS\SYSTEM32\kpbakpb.dll O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe __________________ im dyslexic so sorry for any speeling misstkes

01-19-2007, 04:06 PM	#4 (permalink)
Pancake Security Team (ret.) Join Date: Nov 2003 Location: Victoria.Australia Posts: 7,404 OS: XP Pro SP3	Download combofix from here. Save it directly to your desktop Double click on combofix.exe & follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall ==================== Download SmitfraudFix (by S!Ri) to your Desktop. http://siri.urz.free.fr/Fix/SmitfraudFix.exe.Run the application. Open the SmitfraudFix folder and double-click smitfraudfix.cmd Reboot your computer in Safe Mode. If the computer is running, shut down Windows, and then turn off the power. Wait 30 seconds, and then turn the computer on. Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again. Ensure that the Safe Mode option is selected. Press Enter. The computer then begins to start in Safe mode. Login on your usual account. Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool. Select option #2 - Clean by typing 2 and press Enter. Wait for the tool to complete and disk cleanup to finish. You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter. A reboot may be needed to finish the cleaning process, if your computer does not restart automatically please do it yourself manually. The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply. Please post: c:\rapport.txt Combofix.txt A new HijackThis log Your may need several replies to post the requested logs, otherwise they might get cut off __________________ Eddy

01-20-2007, 01:29 PM	#5 (permalink)
antman112 Registered User Join Date: Dec 2005 Posts: 25 OS: XP pro	ok 1 problem for SmitfraudFix Not Found The requested URL /Fix/SmitfraudFix.exe.Run was not found on this server. Apache/ProXad [Dec 3 2006 1117] Server at siri.urz.free.fr Port 80 combo fix "Antony" - 07-01-20 20:27:33 Service Pack 2 ComboFix 07-01-21 - Running from: "C:\Documents and Settings\Antony\Desktop" ((((((((((((((((((((((((((((((( Files Created from 2006-12-20 to 2007-01-20 )))))))))))))))))))))))))))))))))) 2007-01-20 20:25 <DIR> d-------- C:\WINDOWS\temp 2007-01-19 10:27 <DIR> d-------- C:\DOCUME~1\Antony\DoctorWeb 2007-01-19 10:27 <DIR> d-------- C:\DOCUME~1\Antony\DoctorWeb 2007-01-14 20:49 <DIR> d-------- C:\Program Files\Microsoft Windows Vista Upgrade Advisor 2007-01-09 16:13 <DIR> d-------- C:\Program Files\SEGA 2007-01-05 16:21 <DIR> d-------- C:\!KillBox 2007-01-05 11:32 97,792 --a------ C:\WINDOWS\system32\ntmxhyka.dll 2007-01-05 11:30 78,848 --a------ C:\WINDOWS\system32\pepaaaaa.exe 2007-01-05 11:30 61,440 --a------ C:\WINDOWS\system32\kpbakpb.dll 2007-01-05 11:30 61 --a------ C:\WINDOWS\system32\idhvhri.dll 2007-01-05 11:30 16,384 --a------ C:\WINDOWS\system32\aemqskdo.exe 2007-01-05 11:30 1,042 --a------ C:\WINDOWS\system32\mxdetaaa.exe 2007-01-05 11:30 1,042 --a------ C:\WINDOWS\system32\mtmphbeq.exe 2007-01-02 12:03 <DIR> d-------- C:\Program Files\Virtual Earth 3D 2007-01-02 12:00 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe 2006-12-28 18:56 <DIR> d-------- C:\Program Files\Common Files\SystemRequirementsLab 2006-12-28 18:56 <DIR> d-------- C:\DOCUME~1\Antony\Application Data\System Requirements Lab 2006-12-25 16:28 <DIR> d-------- C:\Program Files\TomTom HOME 2006-12-25 16:28 <DIR> d-------- C:\DOCUME~1\Antony\Application Data\InstallShield 2006-12-25 14:01 21,504 --a------ C:\WINDOWS\system32\hidserv.dll 2006-12-25 14:00 <DIR> d-------- C:\Program Files\Microsoft IntelliType Pro 2006-12-20 11:18 <DIR> d-------- C:\Program Files\Stardock (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-01-20 20:26 -------- d-------- C:\Program Files\Mozilla Firefox 2007-01-20 20:20 -------- d-------- C:\Program Files\Common Files\Symantec Shared 2007-01-20 20:20 -------- d-------- C:\Program Files\Common Files 2007-01-19 11:42 -------- d-------- C:\DOCUME~1\Antony\Application Data\Xfire 2007-01-19 09:53 -------- d---s---- C:\Program Files\Xfire 2007-01-18 22:08 -------- d-------- C:\Program Files\zprogram counter 2007-01-12 17:56 -------- d-------- C:\Program Files\Norton SystemWorks 2007-01-09 16:13 -------- d--h----- C:\Program Files\InstallShield Installation Information 2007-01-08 22:25 -------- d-------- C:\Program Files\CleanUp! 2007-01-02 12:00 -------- d-------- C:\Program Files\Internet Explorer 2006-12-28 16:31 -------- d---s---- C:\DOCUME~1\Antony\Application Data\Microsoft 2006-12-24 19:30 -------- d-------- C:\Program Files\DivX 2006-12-24 19:27 -------- d-------- C:\DOCUME~1\Antony\Application Data\DivX 2006-12-20 21:30 -------- d-------- C:\Program Files\StarWarsGalaxies 2006-12-19 13:26 -------- d-------- C:\DOCUME~1\Antony\Application Data\Sun 2006-12-12 16:30 520192 --a------ C:\WINDOWS\system32\DivXsm.exe 2006-12-12 16:30 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll 2006-12-12 16:30 200704 --a------ C:\WINDOWS\system32\ssldivx.dll 2006-12-12 16:30 1044480 --a------ C:\WINDOWS\system32\libdivx.dll 2006-12-12 16:25 806912 --a------ C:\WINDOWS\system32\divx_xx0c.dll 2006-12-12 16:25 806912 --a------ C:\WINDOWS\system32\divx_xx07.dll 2006-12-12 16:25 790528 --a------ C:\WINDOWS\system32\divx_xx11.dll 2006-12-12 16:25 73728 --a------ C:\WINDOWS\system32\dpl100.dll 2006-12-12 16:25 635486 --a------ C:\WINDOWS\system32\DivX.dll 2006-12-12 16:25 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll 2006-12-12 16:25 57344 --a------ C:\WINDOWS\system32\dpv11.dll 2006-12-12 16:25 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll 2006-12-12 16:25 344064 --a------ C:\WINDOWS\system32\dpus11.dll 2006-12-12 16:25 294912 --a------ C:\WINDOWS\system32\dpu11.dll 2006-12-12 16:25 294912 --a------ C:\WINDOWS\system32\dpu10.dll 2006-12-12 16:25 196608 --a------ C:\WINDOWS\system32\dtu100.dll 2006-12-12 16:24 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll 2006-12-12 16:24 118784 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe 2006-12-08 22:54 -------- d-------- C:\Program Files\Java 2006-12-08 22:52 -------- d-------- C:\Program Files\Common Files\Java 2006-12-08 10:09 -------- d-------- C:\Program Files\QuickTime 2006-12-08 10:08 -------- d-------- C:\Program Files\MSN Messenger 2006-12-08 10:08 -------- d-------- C:\Program Files\Messenger 2006-12-08 10:03 -------- d-------- C:\Program Files\AGEIA Technologies 2006-12-07 14:30 -------- d-------- C:\Program Files\InterMute 2006-12-07 13:29 -------- d-------- C:\Program Files\Alwil Software 2006-12-07 13:13 -------- d-------- C:\Program Files\GRISOFT 2006-11-28 17:22 -------- d-------- C:\Program Files\Sony 2006-11-24 14:54 81920 --a------ C:\WINDOWS\system32\OpenAL32.dll 2006-11-24 14:54 221184 --a------ C:\WINDOWS\system32\wrap_oal.dll 2006-11-22 14:43 163644 --a------ C:\WINDOWS\system32\drivers\secdrv.sys 2006-11-22 13:34 -------- d-------- C:\Program Files\Lionhead Studios 2006-11-21 15:43 -------- d-------- C:\DOCUME~1\Antony\Application Data\teamspeak2 2006-11-15 17:57 139264 --a------ C:\WINDOWS\system32\hpzjrd01.dll 2006-11-10 12:52 8 --a------ C:\DOCUME~1\Antony\Application Data\NMM-MetaData.db 2006-10-22 12:22 888832 --a------ C:\WINDOWS\system32\nvmobls.dll 2006-10-22 12:22 86016 --a------ C:\WINDOWS\system32\nvmctray.dll 2006-10-22 12:22 81920 --a------ C:\WINDOWS\system32\nvwddi.dll 2006-10-22 12:22 794624 --a------ C:\WINDOWS\system32\nvcplui.exe 2006-10-22 12:22 7700480 --a------ C:\WINDOWS\system32\nvcpl.dll 2006-10-22 12:22 581632 --a------ C:\WINDOWS\system32\nvhwvid.dll 2006-10-22 12:22 5644288 --a------ C:\WINDOWS\system32\nvoglnt.dll 2006-10-22 12:22 5619712 --a------ C:\WINDOWS\system32\nvdisps.dll 2006-10-22 12:22 5255168 --a------ C:\WINDOWS\system32\nvdispsr.dll 2006-10-22 12:22 466944 --a------ C:\WINDOWS\system32\nvshell.dll 2006-10-22 12:22 458752 --a------ C:\WINDOWS\system32\nvmccssr.dll 2006-10-22 12:22 4527488 --a------ C:\WINDOWS\system32\nv4_disp.dll 2006-10-22 12:22 45056 --a------ C:\WINDOWS\system32\nvmccsrs.dll 2006-10-22 12:22 442368 --a------ C:\WINDOWS\system32\nvappbar.exe 2006-10-22 12:22 425984 --a------ C:\WINDOWS\system32\keystone.exe 2006-10-22 12:22 35840 --a------ C:\WINDOWS\system32\nvcodins.dll 2006-10-22 12:22 35840 --a------ C:\WINDOWS\system32\nvcod.dll 2006-10-22 12:22 3203072 --a------ C:\WINDOWS\system32\nvgamesr.dll 2006-10-22 12:22 311296 --a------ C:\WINDOWS\system32\nvexpbar.dll 2006-10-22 12:22 3047424 --a------ C:\WINDOWS\system32\nvgames.dll 2006-10-22 12:22 2973696 --a------ C:\WINDOWS\system32\nvvitvsr.dll 2006-10-22 12:22 2924544 --a------ C:\WINDOWS\system32\nvvitvs.dll 2006-10-22 12:22 286720 --a------ C:\WINDOWS\system32\nvnt4cpl.dll 2006-10-22 12:22 2859008 --a------ C:\WINDOWS\system32\nvmoblsr.dll 2006-10-22 12:22 229376 --a------ C:\WINDOWS\system32\nvmccs.dll 2006-10-22 12:22 212992 --a------ C:\WINDOWS\system32\nvapi.dll 2006-10-22 12:22 188416 --a------ C:\WINDOWS\system32\nvmccss.dll 2006-10-22 12:22 1732608 --a------ C:\WINDOWS\system32\nvwssr.dll 2006-10-22 12:22 1662976 --a------ C:\WINDOWS\system32\nvwdmcpl.dll 2006-10-22 12:22 1622016 --a------ C:\WINDOWS\system32\nwiz.exe 2006-10-22 12:22 159810 --a------ C:\WINDOWS\system32\nvsvc32.exe 2006-10-22 12:22 147456 --a------ C:\WINDOWS\system32\nvcolor.exe 2006-10-22 12:22 1470464 --a------ C:\WINDOWS\system32\nview.dll 2006-10-22 12:22 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe 2006-10-22 12:22 1236992 --a------ C:\WINDOWS\system32\nvwss.dll 2006-10-22 12:22 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll 2006-10-22 12:22 1011712 --a------ C:\WINDOWS\system32\nvcpluir.dll 2006-10-05 04:55 62 --ahs---- C:\DOCUME~1\Antony\Application Data\desktop.ini (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries are not shown [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background" "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background" "Steam"="C:\\Program Files\\Valve\\Steam\\\\Steam.exe -silent" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "SoundMan"="SOUNDMAN.EXE" "NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup" "nwiz"="nwiz.exe /install" "ccApp"="C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe" "ccRegVfy"="C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe" "GhostStartTrayApp"="C:\\Program Files\\Norton SystemWorks\\Norton Ghost\\GhostStartTrayApp.exe" "Profiler"="C:\\Program Files\\Saitek\\Software\\Profiler.exe" "SaiSmart"="C:\\Program Files\\Saitek\\Software\\SaiSmart.exe" "Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer" "AGEIA PhysX SysTray"="C:\\Program Files\\AGEIA Technologies\\TrayIcon.exe" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit" "PCSuiteTrayApplication"="C:\\PROGRA~1\\Nokia\\NOKIAP~1\\LAUNCH~1.EXE -startup" "HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe" "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\"" "type32"="\"C:\\Program Files\\Microsoft IntelliType Pro\\type32.exe\"" "TomTomHOME.exe"="\"C:\\Program Files\\TomTom HOME\\TomTomHOME.exe\" -s" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] "NoChange"="1" "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] "Installed"="1" [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components] "DeskHtmlVersion"=dword:00000110 "DeskHtmlMinorVersion"=dword:00000005 "Settings"=dword:00000001 "GeneralFlags"=dword:00000005 [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" "Flags"=dword:00000002 "Position"=hex:2c,00,00,00,e6,00,00,00,00,00,00,00,9a,03,00,00,42,03,00,00,00,\ 00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00 "CurrentState"=hex:04,00,00,40 "OriginalStateInfo"=hex:18,00,00,00,e6,00,00,00,00,00,00,00,9a,03,00,00,42,03,\ 00,00,04,00,00,40 "RestoredStateInfo"=hex:18,00,00,00,e6,00,00,00,00,00,00,00,9a,03,00,00,42,03,\ 00,00,01,00,00,00 [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "ALUAlert"="C:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe" [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run] "ALUAlert"="C:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" "{3E898EEA-FEFA-451b-ACF2-7561F94B1191}"="gkj" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "dontdisplaylastusername"=dword:00000000 "legalnoticecaption"="" "legalnoticetext"="" "shutdownwithoutlogon"=dword:00000001 "undockwithoutlogon"=dword:00000001 [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\Run] [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload] "PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}" "CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}" "WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" "SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}" [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 Usnsvc REG_MULTI_SZ usnsvc\0\0 Contents of the 'Scheduled Tasks' folder C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job C:\WINDOWS\tasks\Norton SystemWorks One Button Checkup.job C:\WINDOWS\tasks\Symantec NetDetect.job Completion time: 07-01-20 20:27:55.15 C:\ComboFix2.txt ... 07-01-20 20:25 C:\ComboFix3.txt ... 07-01-08 22:22 C:\ComboFix4.txt ... 07-01-08 22:23 HJ log Logfile of HijackThis v1.99.1 Scan saved at 20:28, on 07-01-20 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE C:\WINDOWS\system32\nvsvc32.exe C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe C:\Program Files\Saitek\Software\Profiler.exe C:\Program Files\Saitek\Software\SaiSmart.exe C:\Program Files\AGEIA Technologies\TrayIcon.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe C:\Program Files\Microsoft IntelliType Pro\type32.exe C:\Program Files\TomTom HOME\TomTomHOME.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Valve\Steam\Steam.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Xfire\Xfire.exe C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Antony\My Documents\HELP\files and programs\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {711143B8-DC67-422B-8048-1A3128744F27} - C:\WINDOWS\system32\kpbakpb.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe O4 - HKLM\..\Run: [SaiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [AGEIA PhysX SysTray] C:\Program Files\AGEIA Technologies\TrayIcon.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe" O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: kgwdacny - C:\WINDOWS\SYSTEM32\kpbakpb.dll O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe __________________ im dyslexic so sorry for any speeling misstkes

01-21-2007, 09:59 AM	#7 (permalink)
antman112 Registered User Join Date: Dec 2005 Posts: 25 OS: XP pro	hummn did what you said "Antony" - 07-01-21 16:58:00 Service Pack 2 ComboFix 07-01-21 - Running from: "C:\Documents and Settings\Antony\Desktop" ((((((((((((((((((((((((((((((( Files Created from 2006-12-21 to 2007-01-21 )))))))))))))))))))))))))))))))))) 2007-01-21 16:57 <DIR> d-------- C:\WINDOWS\temp 2007-01-19 10:27 <DIR> d-------- C:\DOCUME~1\Antony\DoctorWeb 2007-01-19 10:27 <DIR> d-------- C:\DOCUME~1\Antony\DoctorWeb 2007-01-14 20:49 <DIR> d-------- C:\Program Files\Microsoft Windows Vista Upgrade Advisor 2007-01-09 16:13 <DIR> d-------- C:\Program Files\SEGA 2007-01-05 16:21 <DIR> d-------- C:\!KillBox 2007-01-05 11:32 97,792 --a------ C:\WINDOWS\system32\ntmxhyka.dll 2007-01-05 11:30 61,440 --a------ C:\WINDOWS\system32\kpbakpb.dll 2007-01-02 12:03 <DIR> d-------- C:\Program Files\Virtual Earth 3D 2007-01-02 12:00 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe 2006-12-28 18:56 <DIR> d-------- C:\Program Files\Common Files\SystemRequirementsLab 2006-12-28 18:56 <DIR> d-------- C:\DOCUME~1\Antony\Application Data\System Requirements Lab 2006-12-25 16:28 <DIR> d-------- C:\Program Files\TomTom HOME 2006-12-25 16:28 <DIR> d-------- C:\DOCUME~1\Antony\Application Data\InstallShield 2006-12-25 14:01 21,504 --a------ C:\WINDOWS\system32\hidserv.dll 2006-12-25 14:00 <DIR> d-------- C:\Program Files\Microsoft IntelliType Pro (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-01-21 16:53 -------- d-------- C:\Program Files\Common Files\Symantec Shared 2007-01-21 16:53 -------- d-------- C:\Program Files\Common Files 2007-01-21 16:44 -------- d-------- C:\Program Files\Mozilla Firefox 2007-01-20 21:48 -------- d-------- C:\Program Files\zprogram counter 2007-01-19 11:42 -------- d-------- C:\DOCUME~1\Antony\Application Data\Xfire 2007-01-19 09:53 -------- d---s---- C:\Program Files\Xfire 2007-01-12 17:56 -------- d-------- C:\Program Files\Norton SystemWorks 2007-01-09 16:13 -------- d--h----- C:\Program Files\InstallShield Installation Information 2007-01-08 22:25 -------- d-------- C:\Program Files\CleanUp! 2007-01-02 12:00 -------- d-------- C:\Program Files\Internet Explorer 2006-12-28 16:31 -------- d---s---- C:\DOCUME~1\Antony\Application Data\Microsoft 2006-12-24 19:30 -------- d-------- C:\Program Files\DivX 2006-12-24 19:27 -------- d-------- C:\DOCUME~1\Antony\Application Data\DivX 2006-12-20 21:30 -------- d-------- C:\Program Files\StarWarsGalaxies 2006-12-20 11:18 -------- d-------- C:\Program Files\Stardock 2006-12-19 13:26 -------- d-------- C:\DOCUME~1\Antony\Application Data\Sun 2006-12-12 16:30 520192 --a------ C:\WINDOWS\system32\DivXsm.exe 2006-12-12 16:30 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll 2006-12-12 16:30 200704 --a------ C:\WINDOWS\system32\ssldivx.dll 2006-12-12 16:30 1044480 --a------ C:\WINDOWS\system32\libdivx.dll 2006-12-12 16:25 806912 --a------ C:\WINDOWS\system32\divx_xx0c.dll 2006-12-12 16:25 806912 --a------ C:\WINDOWS\system32\divx_xx07.dll 2006-12-12 16:25 790528 --a------ C:\WINDOWS\system32\divx_xx11.dll 2006-12-12 16:25 73728 --a------ C:\WINDOWS\system32\dpl100.dll 2006-12-12 16:25 635486 --a------ C:\WINDOWS\system32\DivX.dll 2006-12-12 16:25 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll 2006-12-12 16:25 57344 --a------ C:\WINDOWS\system32\dpv11.dll 2006-12-12 16:25 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll 2006-12-12 16:25 344064 --a------ C:\WINDOWS\system32\dpus11.dll 2006-12-12 16:25 294912 --a------ C:\WINDOWS\system32\dpu11.dll 2006-12-12 16:25 294912 --a------ C:\WINDOWS\system32\dpu10.dll 2006-12-12 16:25 196608 --a------ C:\WINDOWS\system32\dtu100.dll 2006-12-12 16:24 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll 2006-12-12 16:24 118784 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe 2006-12-08 22:54 -------- d-------- C:\Program Files\Java 2006-12-08 22:52 -------- d-------- C:\Program Files\Common Files\Java 2006-12-08 10:09 -------- d-------- C:\Program Files\QuickTime 2006-12-08 10:08 -------- d-------- C:\Program Files\MSN Messenger 2006-12-08 10:08 -------- d-------- C:\Program Files\Messenger 2006-12-08 10:03 -------- d-------- C:\Program Files\AGEIA Technologies 2006-12-07 14:30 -------- d-------- C:\Program Files\InterMute 2006-12-07 13:29 -------- d-------- C:\Program Files\Alwil Software 2006-12-07 13:13 -------- d-------- C:\Program Files\GRISOFT 2006-11-28 17:22 -------- d-------- C:\Program Files\Sony 2006-11-24 14:54 81920 --a------ C:\WINDOWS\system32\OpenAL32.dll 2006-11-24 14:54 221184 --a------ C:\WINDOWS\system32\wrap_oal.dll 2006-11-22 14:43 163644 --a------ C:\WINDOWS\system32\drivers\secdrv.sys 2006-11-22 13:34 -------- d-------- C:\Program Files\Lionhead Studios 2006-11-21 15:43 -------- d-------- C:\DOCUME~1\Antony\Application Data\teamspeak2 2006-11-15 17:57 139264 --a------ C:\WINDOWS\system32\hpzjrd01.dll 2006-11-10 12:52 8 --a------ C:\DOCUME~1\Antony\Application Data\NMM-MetaData.db 2006-10-22 12:22 888832 --a------ C:\WINDOWS\system32\nvmobls.dll 2006-10-22 12:22 86016 --a------ C:\WINDOWS\system32\nvmctray.dll 2006-10-22 12:22 81920 --a------ C:\WINDOWS\system32\nvwddi.dll 2006-10-22 12:22 794624 --a------ C:\WINDOWS\system32\nvcplui.exe 2006-10-22 12:22 7700480 --a------ C:\WINDOWS\system32\nvcpl.dll 2006-10-22 12:22 581632 --a------ C:\WINDOWS\system32\nvhwvid.dll 2006-10-22 12:22 5644288 --a------ C:\WINDOWS\system32\nvoglnt.dll 2006-10-22 12:22 5619712 --a------ C:\WINDOWS\system32\nvdisps.dll 2006-10-22 12:22 5255168 --a------ C:\WINDOWS\system32\nvdispsr.dll 2006-10-22 12:22 466944 --a------ C:\WINDOWS\system32\nvshell.dll 2006-10-22 12:22 458752 --a------ C:\WINDOWS\system32\nvmccssr.dll 2006-10-22 12:22 4527488 --a------ C:\WINDOWS\system32\nv4_disp.dll 2006-10-22 12:22 45056 --a------ C:\WINDOWS\system32\nvmccsrs.dll 2006-10-22 12:22 442368 --a------ C:\WINDOWS\system32\nvappbar.exe 2006-10-22 12:22 425984 --a------ C:\WINDOWS\system32\keystone.exe 2006-10-22 12:22 35840 --a------ C:\WINDOWS\system32\nvcodins.dll 2006-10-22 12:22 35840 --a------ C:\WINDOWS\system32\nvcod.dll 2006-10-22 12:22 3203072 --a------ C:\WINDOWS\system32\nvgamesr.dll 2006-10-22 12:22 311296 --a------ C:\WINDOWS\system32\nvexpbar.dll 2006-10-22 12:22 3047424 --a------ C:\WINDOWS\system32\nvgames.dll 2006-10-22 12:22 2973696 --a------ C:\WINDOWS\system32\nvvitvsr.dll 2006-10-22 12:22 2924544 --a------ C:\WINDOWS\system32\nvvitvs.dll 2006-10-22 12:22 286720 --a------ C:\WINDOWS\system32\nvnt4cpl.dll 2006-10-22 12:22 2859008 --a------ C:\WINDOWS\system32\nvmoblsr.dll 2006-10-22 12:22 229376 --a------ C:\WINDOWS\system32\nvmccs.dll 2006-10-22 12:22 212992 --a------ C:\WINDOWS\system32\nvapi.dll 2006-10-22 12:22 188416 --a------ C:\WINDOWS\system32\nvmccss.dll 2006-10-22 12:22 1732608 --a------ C:\WINDOWS\system32\nvwssr.dll 2006-10-22 12:22 1662976 --a------ C:\WINDOWS\system32\nvwdmcpl.dll 2006-10-22 12:22 1622016 --a------ C:\WINDOWS\system32\nwiz.exe 2006-10-22 12:22 159810 --a------ C:\WINDOWS\system32\nvsvc32.exe 2006-10-22 12:22 147456 --a------ C:\WINDOWS\system32\nvcolor.exe 2006-10-22 12:22 1470464 --a------ C:\WINDOWS\system32\nview.dll 2006-10-22 12:22 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe 2006-10-22 12:22 1236992 --a------ C:\WINDOWS\system32\nvwss.dll 2006-10-22 12:22 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll 2006-10-22 12:22 1011712 --a------ C:\WINDOWS\system32\nvcpluir.dll 2006-10-05 04:55 62 --ahs---- C:\DOCUME~1\Antony\Application Data\desktop.ini (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries are not shown [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background" "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background" "Steam"="C:\\Program Files\\Valve\\Steam\\\\Steam.exe -silent" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "SoundMan"="SOUNDMAN.EXE" "NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup" "nwiz"="nwiz.exe /install" "ccApp"="C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe" "ccRegVfy"="C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe" "GhostStartTrayApp"="C:\\Program Files\\Norton SystemWorks\\Norton Ghost\\GhostStartTrayApp.exe" "Profiler"="C:\\Program Files\\Saitek\\Software\\Profiler.exe" "SaiSmart"="C:\\Program Files\\Saitek\\Software\\SaiSmart.exe" "Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer" "AGEIA PhysX SysTray"="C:\\Program Files\\AGEIA Technologies\\TrayIcon.exe" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit" "PCSuiteTrayApplication"="C:\\PROGRA~1\\Nokia\\NOKIAP~1\\LAUNCH~1.EXE -startup" "HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe" "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\"" "type32"="\"C:\\Program Files\\Microsoft IntelliType Pro\\type32.exe\"" "TomTomHOME.exe"="\"C:\\Program Files\\TomTom HOME\\TomTomHOME.exe\" -s" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] "NoChange"="1" "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] "Installed"="1" [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components] "DeskHtmlVersion"=dword:00000110 "DeskHtmlMinorVersion"=dword:00000005 "Settings"=dword:00000001 "GeneralFlags"=dword:00000005 [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" "Flags"=dword:00000002 "Position"=hex:2c,00,00,00,e6,00,00,00,00,00,00,00,9a,03,00,00,42,03,00,00,00,\ 00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00 "CurrentState"=hex:04,00,00,40 "OriginalStateInfo"=hex:18,00,00,00,e6,00,00,00,00,00,00,00,9a,03,00,00,42,03,\ 00,00,04,00,00,40 "RestoredStateInfo"=hex:18,00,00,00,e6,00,00,00,00,00,00,00,9a,03,00,00,42,03,\ 00,00,01,00,00,00 [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "ALUAlert"="C:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe" [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run] "ALUAlert"="C:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" "{3E898EEA-FEFA-451b-ACF2-7561F94B1191}"="gkj" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "dontdisplaylastusername"=dword:00000000 "legalnoticecaption"="" "legalnoticetext"="" "shutdownwithoutlogon"=dword:00000001 "undockwithoutlogon"=dword:00000001 [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\Run] [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload] "PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}" "CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}" "WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" "SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}" [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 Usnsvc REG_MULTI_SZ usnsvc\0\0 Contents of the 'Scheduled Tasks' folder C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job C:\WINDOWS\tasks\Norton SystemWorks One Button Checkup.job C:\WINDOWS\tasks\Symantec NetDetect.job Completion time: 07-01-21 16:58:22.60 C:\ComboFix2.txt ... 07-01-21 16:56 C:\ComboFix3.txt ... 07-01-20 20:27 C:\ComboFix4.txt ... 07-01-08 22:23 C:\ComboFix5.txt ... 07-01-20 20:28 __________________ im dyslexic so sorry for any speeling misstkes

01-22-2007, 09:08 AM	#9 (permalink)
antman112 Registered User Join Date: Dec 2005 Posts: 25 OS: XP pro	ok here we go Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\opmojugg ***************** Script file located at: \??\C:\cadhlhui.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger *************** Beginning to process script file: File C:\WINDOWS\system32\ntmxhyka.dll deleted successfully. File C:\WINDOWS\system32\kpbakpb.dll deleted successfully. Completed script processing. ***************** Finished! Terminate. and Logfile of HijackThis v1.99.1 Scan saved at 16:08, on 07-01-22 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE C:\WINDOWS\system32\nvsvc32.exe C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe C:\Program Files\Saitek\Software\Profiler.exe C:\Program Files\Saitek\Software\SaiSmart.exe C:\Program Files\AGEIA Technologies\TrayIcon.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe C:\Program Files\Microsoft IntelliType Pro\type32.exe C:\Program Files\TomTom HOME\TomTomHOME.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Valve\Steam\Steam.exe C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Xfire\Xfire.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\HPZinw12.exe C:\Documents and Settings\Antony\My Documents\HELP\files and programs\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {711143B8-DC67-422B-8048-1A3128744F27} - C:\WINDOWS\system32\kpbakpb.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe O4 - HKLM\..\Run: [SaiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [AGEIA PhysX SysTray] C:\Program Files\AGEIA Technologies\TrayIcon.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe" O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: kgwdacny - kpbakpb.dll (file missing) O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (file missing) thats a new one on me __________________ im dyslexic so sorry for any speeling misstkes

01-22-2007, 04:12 PM	#10 (permalink)
Pancake Security Team (ret.) Join Date: Nov 2003 Location: Victoria.Australia Posts: 7,404 OS: XP Pro SP3	Ok.Last bit to do....Remove these from the log and that should have you all back to normal... O2 - BHO: (no name) - {711143B8-DC67-422B-8048-1A3128744F27} - C:\WINDOWS\system32\kpbakpb.dll (file missing) O20 - Winlogon Notify: kgwdacny - kpbakpb.dll (file missing) If you wish to do so, here are a few things that you can do that will help keep your computer a bit more clean and secure.. If you have not already done so, you might want to run Disk Cleanup and run it in each user's profile: Run Disk Cleanup Click "Start > Programs > Accessories > System Tools > Disk Cleanup" Please make sure the following are checked: -- Downloaded Program Files -- Temporary Internet Files -- Recycle Bin -- Temporary Files Click "OK" and Disk Cleanup will delete those files for you. Now that you are clean its now is a good time to flush out your restored files. To flush the XP System Restore Points: (Using XP, you must be logged in as Administrator to do this.) Go to Start>Run and type msconfig Press enter. When msconfig opens, click the Launch System Restore Button. On the next page, click the System Restore Settings Link on the left. Check the box labeled Turn Off System Restore. Reboot. Go back in and turn System Restore ON. A new Restore Point will be created. How Do I Protect My Computer Against Future Malware Now I'm Clean. NOTE:You may have already taken some of these steps. Update your anti-virus software & Windows operating system on a daily or weekly basis. Microsoft also distributes updates to its operating systems. These updates fix security holes or other problems that make a computer susceptible to security breaches. How to update your Windows operating system Know What You're Installing Check the source. To avoid malware, make sure your software comes from a reputable source. Be particularly suspicious of sponsored software (software that relies on advertising) or software that claims to speed up your Internet connection. Use Custom Install. If you feel comfortable with software installation, you can choose Custom Install (as opposed to Typical Install). Custom Install allows you to select only the software components you wish to install, and leave out others (such as potential spyware). Modify Security Settings (Internet Explorer 6) To reduce the risk of installing malware, you can set Internet Explorer to high security mode. To do so: Open Internet Explorer. Go to Tools > Internet Options…. On the Internet Options screen, select the Security tab, then select the Internet icon (if it is not already selected). Under Security level for this zone, click Default Level. Set the slider to High. Note: You may have to lower the security level to view certain Web sites. Next, select the Trusted Sites icon. Under Security level for this zone, click Default Level. Set the slider to Medium. Click Apply, then OK to save the changes. Some Recommended Protection Programs Each tool has its own strengths for identifying and removing specific types of malware. To thoroughly check your computer, its recommend that you use more than one malware removal program. Don't forget to back up your data files before starting a scan! Some available programs are: Ad-Aware SpyBot Search & Destroy Now that you are clean, to help protect your system I recommend that you get the following free programs: SpywareBlaster to help prevent spyware from installing. SpywareGuard to catch and block spyware . IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email. WinPatrol to monitor any changes that programs make to the registry. If you do not have a firewall, here is a free one for personal use: ZoneAlarm http://www.zonelabs.com/store/conten..._freedownloads http://www.zonelabs.com/store/conten...g=en&lid=ho_za Before using or purchasing any Spyware/Malware protection/removal program, always check the Rogue/Suspect Spyware List. It will save you a lot of grief, as well as money if you are thinking of purchasing. Here is the link: http://www.spywarewarrior.com/rogue_anti-spyware.htm If you want to know just how effective your anti-spyware program is, or how well any of the "rogue" programs listed at the above link work, check this for an independent comparison of several anti-spyware programs: http://www.spywarewarrior.com/asw-test-guide.htm Here is a helpful article: "So how did I get infected in the first place?" http://computercops.biz/postlite7736-.html http://www.pchelpforum.com/tutorials...t-your-pc.html Let us know if we have not resolved your problem. Otherwise, you are good to go. Happy and Safe Surfing! __________________ Eddy

01-23-2007, 08:19 AM	#11 (permalink)
antman112 Registered User Join Date: Dec 2005 Posts: 25 OS: XP pro	eveything is removed now and system is working as it did the day i built it thx you for your help this is the last time im going to let this happen iv up my security and am updateding soon thx you for your help each time i come here i see more of the overwellming skill you people have thx agen __________________ im dyslexic so sorry for any speeling misstkes

01-23-2007, 04:29 PM	#12 (permalink)
Pancake Security Team (ret.) Join Date: Nov 2003 Location: Victoria.Australia Posts: 7,404 OS: XP Pro SP3	Ok.Glad it all fine. __________________ Eddy