Trojan - webassist.dll & more

[Lunearetic]

Hey!

I'm really hoping you guys can help me out with this. It's gotten me to the point where I'm about to break something. I'm not big on computer lingo and I tried to follow all the steps required. (Step 1 or 2 could not be completed because of my problem)

Problems:

- Slow start-up : Recently, my computer has taken longer to boot.
- Symantec Antivirus always disabled : I enable it, but it quickly disables itself.

And my biggest problem

- Internet cuts off : MSN Messenger always logs on and off, downloads always "choke" a fraction of the way (Ones bigger than 5 megs usually), online videos never fully play, I get bad connection errors from online games halfway in the game, etc.

My Symantec Antivirus currently has two items in quarantine that it can't delete.

Risk:Trojan.Dropper Filename:svcpipa.exe
Risk: Trojan Horse Filename: webass~1.dll (Or webassit.dll, I think)

I've done some research but found nothing in common with my internet problem. Hope you guys can help. Thanks in advance! Here's the info from HijackThis. (The extra wouldn't show up after the first try, I uninstalled some large software after the initial HiJack, but here is the recent main)


Deckard's System Scanner v20071014.68
Run by eric on 2007-10-16 21:22:53
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2007-10-16 21:23:20
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\mixer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Belkin\PCI F5D7000\Wireless Utility\Belkinwcui.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\ehome\ehRecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Main Archive\Programs\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NOW!Imaging - {9AA2F14F-E956-44B8-8694-A5B615CDF341} - C:\Program Files\Netscape Accelerator\components\NOWImaging.dll (file missing)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [Steam] "d:\valve\steam.exe" -silent
O4 - HKCU\..\Run: [DAEMON Tools] "D:\Daemon\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [RemoveIT Pro XT] C:\Program Files\InCode Solutions\RemoveIT Pro v4-Trial\removeit.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Belkin Wireless Utility.lnk = C:\Program Files\Belkin\PCI F5D7000\Wireless Utility\Belkinwcui.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/ca..._2.3.2.100.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/game...lugin11USA.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.6.0_02) - http://java.sun.com/update/1.6.0/jin...ws-i586-jc.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get.../ultrashim.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SavRoam - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe


--
End of file - 6932 bytes

-- Files created between 2007-09-16 and 2007-10-16 -----------------------------

2007-10-16 21:17:28 0 d-------- C:\Program Files\Trend Micro
2007-10-16 19:09:57 0 d-------- C:\Documents and Settings\eric\Application Data\WinRAR
2007-10-16 19:01:18 118784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL <Not Verified; Microsoft Corporation; MSSTDFMT Object Library>
2007-10-16 19:00:45 0 d-------- C:\Program Files\SpywareBlaster
2007-10-16 17:39:35 0 d-------- C:\WINDOWS\system32\appmgmt
2007-10-16 17:28:02 0 d-------- C:\Program Files\InCode Solutions
2007-10-15 22:56:09 1156 --a------ C:\WINDOWS\mozver.dat
2007-10-15 22:54:05 0 d-------- C:\Documents and Settings\eric\dwhelper
2007-10-15 04:34:52 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-10-15 04:13:45 685816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-09-27 20:00:24 0 d-------- C:\Program Files\Ricochet Infinity
2007-09-27 20:00:12 0 d-------- C:\Program Files\ReflexiveArcade


-- Find3M Report ---------------------------------------------------------------

2007-10-16 21:02:55 0 d-------- C:\Program Files\Symantec AntiVirus
2007-10-16 20:47:51 0 d-------- C:\Program Files\BitTorrent
2007-10-16 19:32:24 0 d-------- C:\Documents and Settings\eric\Application Data\BitTorrent
2007-10-16 17:38:12 0 d-------- C:\Documents and Settings\eric\Application Data\Macromedia
2007-10-16 17:38:12 0 d--h----- C:\Documents and Settings\eric\Application Data\ijjigame
2007-10-16 17:38:12 0 d-------- C:\Documents and Settings\eric\Application Data\Command & Conquer 3 Tiberium Wars
2007-10-16 17:38:12 0 d-------- C:\Documents and Settings\eric\Application Data\Adobe
2007-10-14 18:45:41 0 d-------- C:\Documents and Settings\eric\Application Data\LimeWire
2007-09-13 22:52:01 0 d-------- C:\Program Files\MSN Messenger
2007-09-11 22:31:36 0 d-------- C:\Documents and Settings\eric\Application Data\Sun
2007-09-11 22:31:24 0 d-------- C:\Program Files\Java
2007-09-11 22:29:05 0 d-------- C:\Program Files\Common Files
2007-09-11 22:29:05 0 d-------- C:\Program Files\Common Files\Java
2007-09-11 22:28:05 0 d-------- C:\Program Files\LimeWire
2007-09-03 11:46:02 0 d-------- C:\Program Files\ahead
2007-08-28 21:21:21 0 d-------- C:\Documents and Settings\eric\Application Data\IGN_DLM
2007-08-28 19:07:43 0 d-------- C:\Program Files\IGN
2007-08-28 18:58:04 0 d-------- C:\Program Files\MAIET
2007-08-25 09:07:30 0 d-------- C:\Program Files\Quark
2007-08-16 23:17:16 0 d-------- C:\Program Files\Messenger
2007-08-03 18:43:28 0 --a------ C:\WINDOWS\nsreg.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [08/10/2004 05:04 AM]
"C-Media Mixer"="Mixer.exe" [04/30/2002 10:23 AM C:\WINDOWS\mixer.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [06/02/2005 10:21 AM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [09/07/2007 08:03 PM]
"Adobe Version Cue CS2"="C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [04/04/2005 07:58 PM]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 05:50 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07/12/2007 04:00 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [01/19/2007 12:54 PM]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" []
"igndlm.exe"="C:\Program Files\IGN\Download Manager\DLM.exe" [03/05/2007 01:57 PM]
"Steam"="d:\valve\steam.exe" [10/14/2007 12:04 AM]
"DAEMON Tools"="D:\Daemon\DAEMON Tools\daemon.exe" [08/16/2007 07:24 AM]
"RemoveIT Pro XT"="C:\Program Files\InCode Solutions\RemoveIT Pro v4-Trial\removeit.exe" [09/24/2007 07:12 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/16/2005 8:16:50 PM]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [12/14/2004 5:44:06 AM]
Belkin Wireless Utility.lnk - C:\Program Files\Belkin\PCI F5D7000\Wireless Utility\Belkinwcui.exe [8/18/2005 5:09:58 PM]
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [4/6/2003 1:37:10 AM]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [4/6/2003 258 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme




-- End of Deckard's System Scanner: finished at 2007-10-16 21:24:10 ------------

[Lunearetic]

I finally got the patience to run a Panda scan, I left it overnight and it finished itself. Here's what showed up. I'll also post my latest HiJackThis log. For some reason, the Extra never shows up anymore, it only did in the first scan.

ActiveScan


Incident Status Location

Adware:adware/adwhere Not disinfected Windows Registry
Spyware:Spyware/SafeSurf Not disinfected C:\Documents and Settings\eric\Application Data\LimeWire\.NetworkShare\LimeWireWin4.14.10.exe[²ÜÇ\nsisdl.dll]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\eric\Application Data\Mozilla\Firefox\Profiles\po6gvw8q.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\eric\Application Data\Mozilla\Firefox\Profiles\po6gvw8q.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\eric\Application Data\Mozilla\Firefox\Profiles\po6gvw8q.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\eric\Application Data\Mozilla\Firefox\Profiles\po6gvw8q.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\eric\Application Data\Mozilla\Firefox\Profiles\po6gvw8q.default\cookies.txt[.advertising.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\eric\Application Data\Mozilla\Firefox\Profiles\po6gvw8q.default\cookies.txt[.ad.yieldmanager.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\eric\Application Data\Mozilla\Firefox\Profiles\po6gvw8q.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\eric\Application Data\Mozilla\Firefox\Profiles\po6gvw8q.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\eric\Application Data\Mozilla\Firefox\Profiles\po6gvw8q.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\eric\Application Data\Mozilla\Firefox\Profiles\po6gvw8q.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\eric\Application Data\Mozilla\Firefox\Profiles\po6gvw8q.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\eric\Application Data\Mozilla\Firefox\Profiles\po6gvw8q.default\cookies.txt[.com.com/]
Spyware:Cookie/Bs.serving-sys Not disinfected C:\Documents and Settings\eric\Application Data\Mozilla\Firefox\Profiles\po6gvw8q.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\eric\Application Data\Mozilla\Firefox\Profiles\po6gvw8q.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\eric\Application Data\Mozilla\Firefox\Profiles\po6gvw8q.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\eric\Application Data\Mozilla\Firefox\Profiles\po6gvw8q.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\eric\Cookies\eric@ad.yieldmanager[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\eric\Cookies\eric@atdmt[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\eric\Cookies\eric@com[1].txt
Spyware:Spyware/SafeSurf Not disinfected C:\Program Files\LimeWire\.NetworkShare\LimeWireWin4.14.8.exe[²ÜÇ\nsisdl.dll]
Spyware:Spyware/SafeSurf Not disinfected D:\Main Archive\Programs\LimeWireWin.exe[²ÜÇ\nsisdl.dll]


HiJackThis

Deckard's System Scanner v20071014.68
Run by eric on 2007-10-17 13:35:20
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as eric.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:36:00 PM, on 10/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\valve\steam.exe
D:\Daemon\DAEMON Tools\daemon.exe
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
C:\Program Files\InCode Solutions\RemoveIT Pro v4-Trial\removeit.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Belkin\PCI F5D7000\Wireless Utility\Belkinwcui.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\MSN Messenger\usnsvc.exe
D:\Main Archive\Programs\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\eric.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NOW!Imaging - {9AA2F14F-E956-44B8-8694-A5B615CDF341} - C:\Program Files\Netscape Accelerator\components\NOWImaging.dll (file missing)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [Steam] "d:\valve\steam.exe" -silent
O4 - HKCU\..\Run: [DAEMON Tools] "D:\Daemon\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [RemoveIT Pro XT] C:\Program Files\InCode Solutions\RemoveIT Pro v4-Trial\removeit.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Belkin Wireless Utility.lnk = C:\Program Files\Belkin\PCI F5D7000\Wireless Utility\Belkinwcui.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/ca..._2.3.2.100.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/game...lugin11USA.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 6357 bytes

-- Files created between 2007-09-17 and 2007-10-17 -----------------------------

2007-10-17 21:37:35 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-10-17 20:42:40 0 d-------- C:\Documents and Settings\eric\Application Data\Uniblue
2007-10-17 20:42:26 0 d-------- C:\Program Files\Uniblue
2007-10-16 21:17:28 0 d-------- C:\Program Files\Trend Micro
2007-10-16 19:09:57 0 d-------- C:\Documents and Settings\eric\Application Data\WinRAR
2007-10-16 19:01:18 118784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL <Not Verified; Microsoft Corporation; MSSTDFMT Object Library>
2007-10-16 19:00:45 0 d-------- C:\Program Files\SpywareBlaster
2007-10-16 17:39:35 0 d-------- C:\WINDOWS\system32\appmgmt
2007-10-16 17:28:02 0 d-------- C:\Program Files\InCode Solutions
2007-10-15 22:56:09 1156 --a------ C:\WINDOWS\mozver.dat
2007-10-15 22:54:05 0 d-------- C:\Documents and Settings\eric\dwhelper
2007-10-15 04:34:52 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-10-15 04:13:45 685816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-09-27 20:00:24 0 d-------- C:\Program Files\Ricochet Infinity
2007-09-27 20:00:12 0 d-------- C:\Program Files\ReflexiveArcade


-- Find3M Report ---------------------------------------------------------------

2007-10-17 19:48:50 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-10-17 13:34:08 0 d-------- C:\Program Files\Symantec AntiVirus
2007-10-17 09:52:44 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-10-16 20:47:51 0 d-------- C:\Program Files\BitTorrent
2007-10-16 19:32:24 0 d-------- C:\Documents and Settings\eric\Application Data\BitTorrent
2007-10-16 17:38:12 0 d-------- C:\Documents and Settings\eric\Application Data\Macromedia
2007-10-16 17:38:12 0 d--h----- C:\Documents and Settings\eric\Application Data\ijjigame
2007-10-16 17:38:12 0 d-------- C:\Documents and Settings\eric\Application Data\Command & Conquer 3 Tiberium Wars
2007-10-16 17:38:12 0 d-------- C:\Documents and Settings\eric\Application Data\Adobe
2007-10-14 18:45:41 0 d-------- C:\Documents and Settings\eric\Application Data\LimeWire
2007-09-13 22:52:01 0 d-------- C:\Program Files\MSN Messenger
2007-09-11 22:31:36 0 d-------- C:\Documents and Settings\eric\Application Data\Sun
2007-09-11 22:31:24 0 d-------- C:\Program Files\Java
2007-09-11 22:29:05 0 d-------- C:\Program Files\Common Files
2007-09-11 22:29:05 0 d-------- C:\Program Files\Common Files\Java
2007-09-11 22:28:05 0 d-------- C:\Program Files\LimeWire
2007-09-03 11:46:02 0 d-------- C:\Program Files\ahead
2007-08-28 21:21:21 0 d-------- C:\Documents and Settings\eric\Application Data\IGN_DLM
2007-08-28 19:07:43 0 d-------- C:\Program Files\IGN
2007-08-28 18:58:04 0 d-------- C:\Program Files\MAIET
2007-08-25 09:07:30 0 d-------- C:\Program Files\Quark
2007-08-03 18:43:28 0 --a------ C:\WINDOWS\nsreg.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [08/10/2004 05:04 AM]
"C-Media Mixer"="Mixer.exe" [04/30/2002 10:23 AM C:\WINDOWS\mixer.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [06/02/2005 10:21 AM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [09/07/2007 08:03 PM]
"Adobe Version Cue CS2"="C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [04/04/2005 07:58 PM]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 05:50 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [01/19/2007 12:54 PM]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" []
"igndlm.exe"="C:\Program Files\IGN\Download Manager\DLM.exe" [03/05/2007 01:57 PM]
"Steam"="d:\valve\steam.exe" [10/14/2007 12:04 AM]
"DAEMON Tools"="D:\Daemon\DAEMON Tools\daemon.exe" [08/16/2007 07:24 AM]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [09/06/2007 03:27 PM]
"RemoveIT Pro XT"="C:\Program Files\InCode Solutions\RemoveIT Pro v4-Trial\removeit.exe" [09/24/2007 07:12 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/16/2005 8:16:50 PM]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [12/14/2004 5:44:06 AM]
Belkin Wireless Utility.lnk - C:\Program Files\Belkin\PCI F5D7000\Wireless Utility\Belkinwcui.exe [8/18/2005 5:09:58 PM]
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [4/6/2003 1:37:10 AM]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [4/6/2003 258 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme




-- End of Deckard's System Scanner: finished at 2007-10-17 13:36:56 ------------

[Lunearetic]

Bump.

[Lunearetic]

Bump.

[Ried]

Hello Lunearetic and welcome to TSF,

No worries about the extra.txt. It is only produced on the initial run of dss.exe unless we use a command switch. I've no need at this time for a new one as the one you posted has provided me with the information I need.

There is nothing readily apparent in the logs you've posted, but based on what I see in the Event Viewer section of the extra.txt, the Norton quarantine, as well as the symptoms you've described, please do the following:

Download Combofix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.

• When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt along with a new HijackThis log so we can continue cleaning the system.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

[Lunearetic]

Thanks for the reply, I appreciate any help!

I usually close some programs that open on start-up so it doesn't use too much of my memory, does that affect the outcome of some of the scans? (I also have a side question: Is there another way to uninstall a program without using conventional methods? (ie, Control Panel or the program's uninstall.exe) This one program doesn't show up on the Control Panel's Add/Remove list, and doesn't appear to have an uninstall.exe file. It's a program I installed, hoping to fix my virus problem, but I'm starting to think it was a bad move. The software is called RemoveIT, I think, and it always opens on start-up. (No real negative effects really)

Anyway, here's the info you require:

Latest HiJackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:08:55 AM, on 10/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Belkin\PCI F5D7000\Wireless Utility\Belkinwcui.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NOW!Imaging - {9AA2F14F-E956-44B8-8694-A5B615CDF341} - C:\Program Files\Netscape Accelerator\components\NOWImaging.dll (file missing)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [Steam] "d:\valve\steam.exe" -silent
O4 - HKCU\..\Run: [DAEMON Tools] "D:\Daemon\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [RemoveIT Pro XT] C:\Program Files\InCode Solutions\RemoveIT Pro v4-Trial\removeit.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Belkin Wireless Utility.lnk = C:\Program Files\Belkin\PCI F5D7000\Wireless Utility\Belkinwcui.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/ca..._2.3.2.100.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/game...lugin11USA.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 5808 bytes



ComboFix log

ComboFix 07-10-20.5 - eric 2007-10-20 1:02:41.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.619 [GMT -4:00]
Running from: C:\Documents and Settings\eric\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-09-20 to 2007-10-20 )))))))))))))))))))))))))))))))
.

2007-10-18 19:44 <DIR> d-------- C:\Documents and Settings\eric\Application Data\AdobeUM
2007-10-17 21:37 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-10-17 20:42 <DIR> d-------- C:\Program Files\Uniblue
2007-10-17 20:42 <DIR> d-------- C:\Documents and Settings\eric\Application Data\Uniblue
2007-10-17 19:39 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-16 21:22 <DIR> d-------- C:\Deckard
2007-10-16 21:17 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-16 19:01 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2007-10-16 19:00 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-10-16 17:28 <DIR> d-------- C:\Program Files\InCode Solutions
2007-10-15 22:56 1,156 --a------ C:\WINDOWS\mozver.dat
2007-10-15 22:54 <DIR> d-------- C:\Documents and Settings\eric\dwhelper
2007-10-15 04:34 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-10-15 04:13 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-09-27 20:00 <DIR> d-------- C:\Program Files\Ricochet Infinity
2007-09-27 20:00 <DIR> d-------- C:\Program Files\ReflexiveArcade

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-17 23:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-17 17:34 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-10-17 13:52 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-17 00:47 --------- d-----w C:\Program Files\BitTorrent
2007-10-16 23:32 --------- d-----w C:\Documents and Settings\eric\Application Data\BitTorrent
2007-10-16 21:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2007-10-16 21:38 --------- d--h--w C:\Documents and Settings\eric\Application Data\ijjigame
2007-10-16 21:38 --------- d-----w C:\Documents and Settings\eric\Application Data\Command & Conquer 3 Tiberium Wars
2007-10-14 22:45 --------- d-----w C:\Documents and Settings\eric\Application Data\LimeWire
2007-09-14 02:52 --------- d-----w C:\Program Files\MSN Messenger
2007-09-12 02:31 --------- d-----w C:\Program Files\Java
2007-09-12 02:29 --------- d-----w C:\Program Files\Common Files\Java
2007-09-12 02:28 --------- d-----w C:\Program Files\LimeWire
2007-09-03 15:46 --------- d-----w C:\Program Files\ahead
2007-08-29 01:21 --------- d-----w C:\Documents and Settings\eric\Application Data\IGN_DLM
2007-08-28 23:07 --------- d-----w C:\Program Files\IGN
2007-08-28 22:58 --------- d-----w C:\Program Files\MAIET
2007-08-25 13:07 --------- d-----w C:\Program Files\Quark
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 23:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-07-28 22:12 4,215,160 ----a-w C:\WINDOWS\system32\SpoonUninstall.exe
.

((((((((((((((((((((((((((((( snapshot@2007-10-17_19.45.28.29 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-09-28 1308 135,168 ----a-w C:\WINDOWS\catchme.exe
+ 2007-10-20 10:03:30 136,192 ----a-w C:\WINDOWS\catchme.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 05:04]
"C-Media Mixer"="Mixer.exe" [2002-04-30 10:23 C:\WINDOWS\mixer.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 10:21]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2007-09-07 20:03]
"Adobe Version Cue CS2"="C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 19:58]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 05:50]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" []
"igndlm.exe"="C:\Program Files\IGN\Download Manager\DLM.exe" [2007-03-05 13:57]
"Steam"="d:\valve\steam.exe" [2007-10-14 00:04]
"DAEMON Tools"="D:\Daemon\DAEMON Tools\daemon.exe" [2007-08-16 07:24]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2007-09-06 15:27]
"RemoveIT Pro XT"="C:\Program Files\InCode Solutions\RemoveIT Pro v4-Trial\removeit.exe" [2007-09-24 19:12]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 05:44:06]
Belkin Wireless Utility.lnk - C:\Program Files\Belkin\PCI F5D7000\Wireless Utility\Belkinwcui.exe [2005-08-18 17:09:58]
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-04-06 01:37:10]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 0258]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

R3 BLKWGD;Belkin Wireless G Desktop Card Service;C:\WINDOWS\system32\DRIVERS\BLKWGD.sys
R3 wlanndi5;wlanndi5 NDIS Protocol Driver;\??\C:\WINDOWS\system32\wlanndi5.SYS
S3 gAGP440p;gAGP440p;\??\C:\DOCUME~1\eric\LOCALS~1\Temp\gAGP440p.sys

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-10-20 04:00:00 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\gq688uqL.exe
"2007-10-19 13:00:00 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\system32\gq688uqL.exe
"2007-10-19 14:00:00 C:\WINDOWS\Tasks\At11.job"
"2007-10-19 15:00:00 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\system32\gq688uqL.exe
"2007-10-19 16:00:00 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\system32\gq688uqL.exe
"2007-10-19 17:00:00 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\system32\gq688uqL.exe
"2007-10-19 18:00:00 C:\WINDOWS\Tasks\At15.job"
- C:\WINDOWS\system32\gq688uqL.exe
"2007-10-19 19:00:00 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\system32\gq688uqL.exe
"2007-10-19 20:00:00 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\system32\gq688uqL.exe
"2007-10-19 21:00:00 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\system32\gq688uqL.exe
"2007-10-19 22:00:00 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\system32\gq688uqL.exe
"2007-10-20 05:00:00 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\system32\gq688uqL.exe
"2007-10-19 23:00:00 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\system32\gq688uqL.exe
"2007-10-20 00:00:00 C:\WINDOWS\Tasks\At21.job"
- C:\WINDOWS\system32\gq688uqL.exe
"2007-10-20 01:00:00 C:\WINDOWS\Tasks\At22.job"
"2007-10-20 02:00:00 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\system32\gq688uqL.exe
"2007-10-20 03:00:00 C:\WINDOWS\Tasks\At24.job"
- C:\WINDOWS\system32\gq688uqL.exe
"2007-10-19 06:00:00 C:\WINDOWS\Tasks\At3.job"
"2007-10-19 07:00:00 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\system32\gq688uqL.exe
"2007-10-19 08:00:00 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\system32\gq688uqL.exe
"2007-10-19 09:00:00 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\system32\gq688uqL.exe
"2007-10-19 10:00:00 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\system32\gq688uqL.exe
"2007-10-19 11:00:00 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\system32\gq688uqL.exe
"2007-10-19 12:00:00 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\system32\gq688uqL.exe
"2007-04-01 17:14:35 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2170 series#1166998440.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe
"2007-10-19 20:18:00 C:\WINDOWS\Tasks\WebReg 20070813161800.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exe
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-20 01:04:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-20 101
C:\ComboFix2.txt ... 2007-10-17 19:46
.
--- E O F ---

[Ried]

Hi,

Quote:

I usually close some programs that open on start-up so it doesn't use too much of my memory, does that affect the outcome of some of the scans?

No, I am able to see those in the registry dump portion of the main.txt produced by dss.exe, or in the ComboFix.txt.

Regarding RemoveIT, navigate to the following folder and see if you can locate and uninstall.exe in there. If so, run it.

If not, simply delete the following folder:

C:\Program Files\InCode Solutions

------------------------------------------------------------------

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.

***************************************************

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

---------------------------------------------------------------------

Open notepad and copy/paste the text in the code box below into it:

Code:

File::
C:\WINDOWS\system32\gq688uqL.exe
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

--------------------------------------------------------------------

Please return with the C:\ComboFix.txt and an update on system behavior.

[Lunearetic]

System behaviour is normal.


New ComboFix log:

ComboFix 07-10-20.5 - eric 2007-10-20 1:43:13.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.611 [GMT -4:00]
Running from: C:\Documents and Settings\eric\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\eric\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\gq688uqL.exe
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job

.
((((((((((((((((((((((((( Files Created from 2007-09-20 to 2007-10-20 )))))))))))))))))))))))))))))))
.

2007-10-18 19:44 <DIR> d-------- C:\Documents and Settings\eric\Application Data\AdobeUM
2007-10-17 21:37 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-10-17 20:42 <DIR> d-------- C:\Program Files\Uniblue
2007-10-17 20:42 <DIR> d-------- C:\Documents and Settings\eric\Application Data\Uniblue
2007-10-17 19:39 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-16 21:22 <DIR> d-------- C:\Deckard
2007-10-16 21:17 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-16 19:01 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2007-10-16 19:00 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-10-16 17:28 <DIR> d-------- C:\Program Files\InCode Solutions
2007-10-15 22:56 1,156 --a------ C:\WINDOWS\mozver.dat
2007-10-15 22:54 <DIR> d-------- C:\Documents and Settings\eric\dwhelper
2007-10-15 04:34 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-10-15 04:13 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-09-27 20:00 <DIR> d-------- C:\Program Files\Ricochet Infinity
2007-09-27 20:00 <DIR> d-------- C:\Program Files\ReflexiveArcade

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-17 23:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-17 17:34 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-10-17 13:52 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-17 00:47 --------- d-----w C:\Program Files\BitTorrent
2007-10-16 23:32 --------- d-----w C:\Documents and Settings\eric\Application Data\BitTorrent
2007-10-16 21:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2007-10-16 21:38 --------- d--h--w C:\Documents and Settings\eric\Application Data\ijjigame
2007-10-16 21:38 --------- d-----w C:\Documents and Settings\eric\Application Data\Command & Conquer 3 Tiberium Wars
2007-10-14 22:45 --------- d-----w C:\Documents and Settings\eric\Application Data\LimeWire
2007-09-14 02:52 --------- d-----w C:\Program Files\MSN Messenger
2007-09-12 02:31 --------- d-----w C:\Program Files\Java
2007-09-12 02:29 --------- d-----w C:\Program Files\Common Files\Java
2007-09-12 02:28 --------- d-----w C:\Program Files\LimeWire
2007-09-03 15:46 --------- d-----w C:\Program Files\ahead
2007-08-29 01:21 --------- d-----w C:\Documents and Settings\eric\Application Data\IGN_DLM
2007-08-28 23:07 --------- d-----w C:\Program Files\IGN
2007-08-28 22:58 --------- d-----w C:\Program Files\MAIET
2007-08-25 13:07 --------- d-----w C:\Program Files\Quark
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 23:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-07-28 22:12 4,215,160 ----a-w C:\WINDOWS\system32\SpoonUninstall.exe
.

((((((((((((((((((((((((((((( snapshot@2007-10-17_19.45.28.29 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-09-28 1308 135,168 ----a-w C:\WINDOWS\catchme.exe
+ 2007-10-20 10:03:30 136,192 ----a-w C:\WINDOWS\catchme.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 05:04]
"C-Media Mixer"="Mixer.exe" [2002-04-30 10:23 C:\WINDOWS\mixer.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 10:21]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2007-09-07 20:03]
"Adobe Version Cue CS2"="C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 19:58]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 05:50]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" []
"igndlm.exe"="C:\Program Files\IGN\Download Manager\DLM.exe" [2007-03-05 13:57]
"Steam"="d:\valve\steam.exe" [2007-10-14 00:04]
"DAEMON Tools"="D:\Daemon\DAEMON Tools\daemon.exe" [2007-08-16 07:24]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2007-09-06 15:27]
"RemoveIT Pro XT"="C:\Program Files\InCode Solutions\RemoveIT Pro v4-Trial\removeit.exe" [2007-09-24 19:12]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 05:44:06]
Belkin Wireless Utility.lnk - C:\Program Files\Belkin\PCI F5D7000\Wireless Utility\Belkinwcui.exe [2005-08-18 17:09:58]
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-04-06 01:37:10]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 0258]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

R3 BLKWGD;Belkin Wireless G Desktop Card Service;C:\WINDOWS\system32\DRIVERS\BLKWGD.sys
R3 wlanndi5;wlanndi5 NDIS Protocol Driver;\??\C:\WINDOWS\system32\wlanndi5.SYS
S3 gAGP440p;gAGP440p;\??\C:\DOCUME~1\eric\LOCALS~1\Temp\gAGP440p.sys

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-04-01 17:14:35 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2170 series#1166998440.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe
"2007-10-19 20:18:00 C:\WINDOWS\Tasks\WebReg 20070813161800.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exe
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-20 01:44:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-20 1:46:01
C:\ComboFix2.txt ... 2007-10-20 01:06
C:\ComboFix3.txt ... 2007-10-17 19:46
.
--- E O F ---

[Ried]

So all of the symptoms described in your first post are gone now?

I had meant to mention earlier that once you've removed the C:\Program Files\InCode Solutions folder, run a scan with HijackThis. Fix the following entry if it still remains:

O4 - HKCU\..\Run: [RemoveIT Pro XT] C:\Program Files\InCode Solutions\RemoveIT Pro v4-Trial\removeit.exe

[Lunearetic]

Sorry, I thought you meant anything unusual after the test. But no, I just did a quick test to view videos on Youtube for example and it doesn't play the entire way. I tried a download and it cut off at about 10% into the download.

Oh yeah, I deleted the folder you mentionned eariler, I couldn't find the uninstall.

What do you mean exactly by "Fix the following entry"?

*EDIT* Sorry, I think I know what you mean by fix the entry now.

[Ried]

My apologies, I was under the impression you were familiar with HijackThis tool.

Run the scan with HijackThis and place a 'check' next to the entry I mentioned above, if it still exists.

Click 'Fix Checked' and close HijackThis.

--------------------------------------------------------------------

I'd like you to perform another online scan and see if it reveals anything further. Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

[Lunearetic]

Hey Ried, sorry, I never could physically delete RemoveIT from the hardrive. It gave me an error that it was currently in use and could not be deleted. (My mind's not at 100% right now, sorry) I did the HiJack fix, but the physical file is still there. Any way to end its process?

*EDIT* Fixed it! Sorry to have brought it up again.

Also, the Kasp scan is taking a really long time. It seems to be stuck on WordperfectOfficeX3Installer.exe, only 10 files scanned so far and it's been 5 minutes. (0% marked on the bar)

*EDIT* It's moving a bit faster now, better than 0%. But it's likely to take more than an hour or two. Can we regroup tomorrow? (I'll post the results first thing when I wake up)

Is there a way you can monitor my thread? I'm going to be busy tomorrow afternoonish, just to give you a heads up. I'm willing to stick with TSF until the end.

Thanks for your help so far, Ried!

[Ried]

Hi,

I am subscribed to this thread so I receive notification when you reply.

Post the results when they come in, and we'll pick it up from there.

[Lunearetic]

Here's the Kaspersky scan.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, October 20, 2007 12:18:47 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 20/10/2007
Kaspersky Anti-Virus database records: 441382
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 63171
Number of viruses found: 2
Number of infected objects: 2
Number of suspicious objects: 0
Duration of the scan process: 02:11:08

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01B00000\47F2E7FC.VBN Infected: not-a-virus:AdWare.Win32.BHO.cz skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09B80000\4FFB29D7.VBN Infected: Trojan.Win32.Patched.af skipped
C:\Documents and Settings\eric\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\eric\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_219.wmdb Object is locked skipped
C:\Documents and Settings\eric\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\eric\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\eric\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML Object is locked skipped
C:\Documents and Settings\eric\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\eric\Local Settings\History\History.IE5\MSHist012007102020071021\index.dat Object is locked skipped
C:\Documents and Settings\eric\Local Settings\Temp\~DFCEC5.tmp Object is locked skipped
C:\Documents and Settings\eric\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\eric\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\eric\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped
C:\Program Files\Symantec AntiVirus\SAVRT\0420NAV~.TMP Object is locked skipped
C:\Program Files\Symantec AntiVirus\SAVRT\0484NAV~.TMP Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{75EF855E-0563-4B0C-B50D-F41CB3C902BC}\RP255\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{26149B96-2A29-4884-B929-3DC58C6C0293}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{75EF855E-0563-4B0C-B50D-F41CB3C902BC}\RP255\change.log Object is locked skipped

Scan process completed.

[Ried]

Kaspersky is only reporting items in your Symantec Quarantine.

I need more details clarified in order to determine the next course of action:

1. Symantec now runs properly--it is no longer disabling on it's own?

2. MSN works properly now?

3. System boot times have improved?

4. Only downloading Videos is an issue now?

[Lunearetic]

1. I tried to Enable Symantec again, but again, it quickly disables itself. It also gives me a warning that it disabled itself, even though in the "Preferences" or what not, it's marked "always enabled", and in the advanced tab, that if it were disabled, it would enable itself within 3 minutes (minimum)

2. MSN doesn not work properly yet. It still logs me on and off.

3. I rebooted my computer, it still takes 2-3 minutes. (It's not a major issue, it could also be because of all the software I have on my system, but if it's caused by a virus, it would be good to get it fixed)

4. Anything related to downloading files usually bigger than 3-5 megs. Sometimes to save software, I have to "Save Target As" and if the download stalls, then I cancel and repeat the "Save Target As" process so it downloads from where it left off. Everything related to the internet is my big issue. (For some reason, a few sites let me download huge files, ie 40 megs, in a matter of minutes without stalling while others take 3 to 4 tries just to download a trial of Winzip!)

I've had a few symptoms (not as annoying) like this before on this computer a few years ago. It has been reformated a few times since then. I kept thinking it was my router or the internet service because it wasn't normal to be continously booted from online games every 5 minutes.

Would it be possible that some of these problems have something to do with a dying motherboard or something that controls internet to the computer? (I've already had my video card die on me, and some RAM replaced)

P.S. On an extra note, Windows now keeps telling me that there are no firewalls protecting my computer. Any pointers on firewall settings? (That's if it even takes effect)

On an extra note, Limewire does not seem to have any trouble downloading files either. The software had to be allowed through the firewall to work though, but it doesn't give the problems that the others do. (Is this too much useless information or do you need anything you can get?)

[Ried]

No, this is not useless info. When I see nothing in the logs, I need as much info as possible to try to determine if it's malware or OS issues.

While some of your issues do not necessarily indicate malware is at play, Symantec should not be disabling itself.

This next tool can be quite aggressive. Please be sure to configure it exactly as listed below:

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and Allow to run the express scan. This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.

• Once the short scan has finished, we need to change the default settings.
• In the Menu Bar, Go to Options>Change Settings.
• Click on the Actions tab
• Using the drop down menus, change each item under Objects and Malware to Report
• Next, mark the drives that you want to scan.
• Select all drives. A red dot shows which drives have been chosen.
• Click the green arrow at the right, and the scan will start.
• Click 'No to All' if it asks if you want to cure/move the file.
• After the scan has completed, in the Dr.Web CureIt menu on top, click File and choose Save Report List
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.
• Post the contents of the log from Dr.Web you saved previously in your next reply.

-------------------------------------------------------------

Please run dss.exe again, but use these instructions:

Click Start>Select 'Run' - then copy/paste the following text into the run box & click OK

"%userprofile%\desktop\dss.exe" /config

Click on "Check All"

Click Scan!

When finished, it shall produce main.txt and extra.txt for you.

Please return with:

DrWeb results
main.txt
extra.txt

[Lunearetic]

Hey Ried, my internet cut-off problem is preventing me from downloading the entire thing (Dr. Web CureIt), and my Save Target As trick doesn't seem to work for this one. Can you think of an alternative way of getting it to my Desktop?

(I don't have any extra computers I can use, only a Macintosh at work but it usually doesn't allow me to download exe files.)

[Ried]

We need to be able to run tools to dig this out.

Have you tried using System Restore yet?

Click Start>All Programs>Accessories>System Tools

• Select System Restore
• Next, select 'Restore my computer to an earlier time'
• Choose a bolded date closest to just before all these problems began.
• Follow the on-screen prompts.

If System Restore was able to complete, you'll need to download Deckard's System Scanner again and run dss.exe. Post the new main.txt and extra.txt

[Lunearetic]

The internet cut-off problem started before my reformat, so I don't know at which point to restore. The system restore could probably fix my Norton disabling problem though.

Does a restore erase any files created in between, such as Photoshop/Illlustrator files (and others)?

I will try to leave the Dr.Web download for the night, hoping it won't give me any errors.

*EDIT* Finally, some luck. I got the Dr. Web. I will follow your previous instructions and get back to you afterwards.