Possible WareOut infection ... please help!!![resolved]

Unknown

Hi everyone,

I've searched the internet for 3 days now on a possible help to my problem. When I came to this forum I finally had a clue of what it could be. I've already used several different anti-spyware and anti-virus to scan my system both in normal and safe mode.

Also, from reading (what I thing is) a thread with similar problems I've gone ahead and ran already both FixWareout and HijackThis so I'm posting the result logs next.

Any help would be much appreciated as this is my work machine and productivity has taken quite a blow.

Now for the logs:

--- FixWareout ---


Fixwareout ver 1.003
Last edited 07/1/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8834FEBC8D96-1D8B-DA44-ECB1-DC966A75{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7EA35DD3A1D6-A168-E014-90AC-5B817536{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\swen
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eno
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ruof
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\evif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\putesprpgd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\onisacputes
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmbdb.exe"=-
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is legitimate

»»»»» Search by size and names...
C:\WINDOWS\SYSTEM32\IPSEC6.EXE
* csr.exe C:\WINDOWS\System32\CSENR.EXE

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSENR.EXE 51.271 2006-07-23
C:\WINDOWS\SYSTEM32\CSGEC.EXE 51.271 2006-07-23
C:\WINDOWS\SYSTEM32\CSHZM.EXE 51.271 2006-07-24
Other suspects
Directory of C:\WINDOWS\system32
{57A669CD-1BCE-44AD-B8D1-69D8CBEF4388}.exe
{87967219-E74F-4184-B2E0-E6DB0C6DE3BD}.exe
{F135AFE1-D419-4ADF-A0FB-AF063C026CE2}.exe
{B8AAB570-0527-4610-9CE8-A46879CE8BF9}.exe
{80973220-300A-475D-870F-E4E273C4188C}.exe
{A0848B57-792F-4A49-ACCE-3C2EED994E9A}.exe
{42EF5668-9CA9-437A-82EB-C22FE8FB3DC4}.exe
{7027203D-A455-47A4-95B2-D3DC05322340}.exe
{0968032D-5783-41D6-9F04-20E980354308}.exe
{D88357B0-8417-4625-AF1C-AAFD87FB89CC}.exe
{67545A65-8DDD-4E77-B0A9-81D896588BC6}.exe
{319A61E2-D34E-4C7E-B9C4-0F54512BE5DB}.exe
{B283AB97-73EE-41BF-A706-C61BF31C67A7}.exe
{117CF5B4-FBC7-480E-83E8-D1270F204F7A}.exe
{B573C0C7-1445-45D2-8482-94B8B768C69E}.exe
{81003B21-E66D-41C1-A8AA-C90E6CEC25A9}.exe
{BA252534-E61A-49DF-AB35-7739EE954EDB}.exe
{FE15A83D-81D8-4D77-86F5-AE4AE0F592AD}.exe
{0751F4D9-32C5-4AC3-8674-C03CFCAF9A95}.exe
{B8EB4621-E774-41E0-B815-ADB1581063A0}.exe
{A0C0B239-22C7-43DD-9490-C62FA42A65F8}.exe
{E360E55E-2398-4106-AD6A-8692736C5D13}.exe
{5409DF7B-7343-4797-A555-5A26168D26D5}.exe
{7596290F-62A1-429E-B952-70AE907B8C1C}.exe
{0E7D2302-14A1-48DE-943E-1F7ECAA30F0C}.exe
{183194EC-503C-4B3D-9F60-3E72F457C9B3}.exe
{DBA862E2-261A-4BB7-A28B-ECE497CF0B5A}.exe
{1ADF15D6-10A8-4B2C-BA76-2FE86D65A065}.exe
{FC31CEEB-C17E-419E-90BC-1D6458FA0C3C}.exe
{BDA817A7-AD1E-4207-9265-B65FF2F2C7F8}.exe
{38916EE5-90AE-442E-B119-881D7DF945B8}.exe
{EECDB8C7-43CC-481B-AEBF-C3B931B1C86A}.exe
{AB701DEF-C6F7-42FE-998A-D6C28EC7A05C}.exe
{ED1ABFB4-D26A-4CFE-B4B5-0D7DF1FB16F9}.exe
{235832A6-DB48-4B6A-AE13-FCFD4C6B7589}.exe
{6FADCDF0-60E6-4EC7-A42C-4537E8161515}.exe
{41178DB0-2F0D-49DC-BF02-9A53925ECC8D}.exe
{E42C9E4A-7341-4C58-A61A-76C6D8438084}.exe
{1552AA62-DC82-4B2B-B4F9-9E75E0B09402}.exe
{918F6ED6-278B-4D69-9FFD-9F618FB320E3}.exe
{4BFE996F-1E81-4165-A748-3D5672182DD7}.exe
{A6C44E48-C370-4F37-BE83-2E107D1CECCF}.exe
{A2F286F0-1C9A-4F98-BDBE-5A63B43F1E1E}.exe

--- HijackThis log (will follow in next post) ---

aikanaro

Logfile of HijackThis v1.99.1
Scan saved at 12:38:07, on 26-07-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programs\Intel\Wireless\Bin\EvtEng.exe
C:\Programs\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programs\Alwil Software\Avast4\aswUpdSv.exe
C:\Programs\Alwil Software\Avast4\ashServ.exe
C:\Acer\Empowering Technology\admServ.exe
c:\Program Files\Software WIDCOMM\Bluetooth\bin\btwdins.exe
C:\Programs\ewido anti-spyware 4.0\guard.exe
C:\Programs\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programs\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Programs\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\Programs\VMware\VMware Player\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Programs\Alwil Software\Avast4\ashMaiSv.exe
C:\Programs\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\Programs\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\acer\Empowering Technology\ePower\epm-dm.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Protector Suite QL\menusw.exe
C:\Acer\Empowering Technology\admtray.exe
C:\Programs\ALWILS~1\Avast4\ashDisp.exe
C:\Programs\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sun\Java\se\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Programs\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Acer\Soft Button\tabletpc.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Programs\Intel\Wireless\bin\ZCfgSvc.exe
C:\Programs\Intel\Wireless\Bin\ifrmewrk.exe
C:\Programs\Intel\Wireless\Bin\EOUWiz.exe
C:\WINDOWS\vsnpstd.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Programs\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Software WIDCOMM\Bluetooth\BTTray.exe
C:\Programs\Process Explorer\procexp.exe
C:\Programs\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Programs\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
R3 - URLSearchHook: (no name) - {30AB1105-1C2D-C192-DF5B-A83023DFCA2D} - runload32.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programs\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Sun\Java\se\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TabletWizard] C:\WINDOWS\help\SplshWrp.exe
O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [EPM-DM] c:\acer\Empowering Technology\ePower\epm-dm.exe
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Biomenu] "C:\Program Files\Protector Suite QL\menusw.exe"
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [avast!] C:\Programs\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programs\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Sun\Java\se\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programs\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [Snippet] "C:\Program Files\Microsoft Experience Pack\Snipping Tool\SnippingTool.exe" /i
O4 - HKLM\..\Run: [AcerSoftButton] C:\Acer\Soft Button\tabletpc.exe
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Programs\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Programs\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Programs\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [msag] PasswdMon.exe
O4 - HKLM\..\Run: [PasswdMon] TemplateDongle.exe
O4 - HKLM\..\Run: [yjwxn.exe] C:\WINDOWS\system32\yjwxn.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programs\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [br0ken] backorif.exe
O4 - HKCU\..\Run: [SetupExeDll] BoundRec.exe
O4 - HKCU\..\Run: [media64] Kargo.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Process Explorer.lnk = C:\Programs\Process Explorer\procexp.exe
O8 - Extra context menu item: &Sample Toolband Serach - res://C:\WINDOWS\system32\ToolBand.dll/MENUSEARCH.HTM
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Programs\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Programs\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://C:\Programs\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Programs\Free Download Manager\dllink.htm
O8 - Extra context menu item: Enviar para &Bluetooth - c:\Program Files\Software WIDCOMM\Bluetooth\btsendto_ie_ctx.htm
O8 - Extra context menu item: Open Link Target in Firefox - file://C:\Documents and Settings\aikanaro\Application Data\Mozilla\Firefox\Profiles\nnhgwmp3.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewlink.html
O8 - Extra context menu item: View This Page in Firefox - file://C:\Documents and Settings\aikanaro\Application Data\Mozilla\Firefox\Profiles\nnhgwmp3.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewpage.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Sun\Java\se\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Sun\Java\se\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1153766034203
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{36EF726F-DD14-4D90-92B2-C699A886C5D3}: NameServer = 85.255.113.197,85.255.112.128
O17 - HKLM\System\CCS\Services\Tcpip\..\{B7BB3107-017C-40B9-8F5F-7F4DAE19D49A}: NameServer = 85.255.113.197,85.255.112.128
O17 - HKLM\System\CCS\Services\Tcpip\..\{B9DF1644-5D3C-4F33-B712-C0AFDD3D636F}: NameServer = 85.255.113.197,85.255.112.128
O17 - HKLM\System\CCS\Services\Tcpip\..\{C26F2C22-63B8-47B9-A0AB-D97AD307A033}: NameServer = 85.255.113.197,85.255.112.128
O17 - HKLM\System\CCS\Services\Tcpip\..\{CB2C5266-B741-42CF-83F7-B306B5AEAEFF}: NameServer = 85.255.113.197,85.255.112.128
O17 - HKLM\System\CCS\Services\Tcpip\..\{E49EA1C9-B839-4C55-9515-94F3B4F03638}: NameServer = 85.255.113.197,85.255.112.128
O17 - HKLM\System\CCS\Services\Tcpip\..\{F11DA4ED-791C-4ACC-922C-C69892D92746}: NameServer = 85.255.113.197,85.255.112.128
O17 - HKLM\System\CCS\Services\Tcpip\..\{FDD31529-9F9F-4C57-BC74-7340CE175EE6}: NameServer = 85.255.113.197,85.255.112.128
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.197 85.255.112.128
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.197 85.255.112.128
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.113.197 85.255.112.128
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.197 85.255.112.128
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: loginkey - C:\Program Files\Common Files\Microsoft Shared\Ink\loginkey.dll
O20 - Winlogon Notify: psfus - C:\WINDOWS\SYSTEM32\fusstub.dll
O20 - Winlogon Notify: TabBtnWL - C:\WINDOWS\SYSTEM32\TabBtnWL.dll
O20 - Winlogon Notify: tpgwlnotify - C:\WINDOWS\SYSTEM32\tpgwlnot.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programs\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programs\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programs\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programs\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - c:\Program Files\Software WIDCOMM\Bluetooth\bin\btwdins.exe
O23 - Service: CFGXGODSAJV - Sysinternals - www.sysinternals.com - C:\DOCUME~1\aikanaro\LOCALS~1\Temp\CFGXGODSAJV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programs\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programs\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Programs\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programs\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programs\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Programs\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

Crunchie

Please go to Jotti's and have these files scanned. Post the results back here.

C:\WINDOWS\System32\CSENR.EXE
C:\WINDOWS\SYSTEM32\CSENR.EXE
C:\WINDOWS\SYSTEM32\CSGEC.EXE
C:\WINDOWS\SYSTEM32\CSHZM.EXE

aikanaro

I'm sorry for the delay...as the first 2 entries are the same I'll only post one result (I hope there's no problem with it).

File: csenr.exe
Status: INFECTED/MALWARE
MD5 481eb93643ef55d696c7787facb93566
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found Trojan.Downloader.Mohbpork.A
ClamAV Found nothing
Dr.Web Found Trojan.DownLoader.10960
F-Prot Antivirus Found Possibly a new variant of W32/SecRisk-ProcessPatcher-based!Maximus
Fortinet Found nothing
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Agent.uj
NOD32 Found a variant of Win32/Small.FB
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found Trojan-Downloader.Win32.Agent.uj

File: CSGEC.EXE
Status: OK
MD5 f097d1f4186ee2765ae08d793c2229d6
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found nothing

File: cshzm.exe
Status: OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 f097d1f4186ee2765ae08d793c2229d6
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found nothing

Crunchie

1. Please download The Avenger by Swandog46 to your Desktop.

• Click on Avenger.zip to open the file
• Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\system32\{57A669CD-1BCE-44AD-B8D1-69D8CBEF4388}.exe
C:\WINDOWS\system32\{87967219-E74F-4184-B2E0-E6DB0C6DE3BD}.exe
C:\WINDOWS\system32\{F135AFE1-D419-4ADF-A0FB-AF063C026CE2}.exe
C:\WINDOWS\system32\{B8AAB570-0527-4610-9CE8-A46879CE8BF9}.exe
C:\WINDOWS\system32\{80973220-300A-475D-870F-E4E273C4188C}.exe
C:\WINDOWS\system32\{A0848B57-792F-4A49-ACCE-3C2EED994E9A}.exe
C:\WINDOWS\system32\{42EF5668-9CA9-437A-82EB-C22FE8FB3DC4}.exe
C:\WINDOWS\system32\{7027203D-A455-47A4-95B2-D3DC05322340}.exe
C:\WINDOWS\system32\{0968032D-5783-41D6-9F04-20E980354308}.exe
C:\WINDOWS\system32\{D88357B0-8417-4625-AF1C-AAFD87FB89CC}.exe
C:\WINDOWS\system32\{67545A65-8DDD-4E77-B0A9-81D896588BC6}.exe
C:\WINDOWS\system32\{319A61E2-D34E-4C7E-B9C4-0F54512BE5DB}.exe
C:\WINDOWS\system32\{B283AB97-73EE-41BF-A706-C61BF31C67A7}.exe
C:\WINDOWS\system32\{117CF5B4-FBC7-480E-83E8-D1270F204F7A}.exe
C:\WINDOWS\system32\{B573C0C7-1445-45D2-8482-94B8B768C69E}.exe
C:\WINDOWS\system32\{81003B21-E66D-41C1-A8AA-C90E6CEC25A9}.exe
C:\WINDOWS\system32\{BA252534-E61A-49DF-AB35-7739EE954EDB}.exe
C:\WINDOWS\system32\{FE15A83D-81D8-4D77-86F5-AE4AE0F592AD}.exe
C:\WINDOWS\system32\{0751F4D9-32C5-4AC3-8674-C03CFCAF9A95}.exe
C:\WINDOWS\system32\{B8EB4621-E774-41E0-B815-ADB1581063A0}.exe
C:\WINDOWS\system32\{A0C0B239-22C7-43DD-9490-C62FA42A65F8}.exe
C:\WINDOWS\system32\{E360E55E-2398-4106-AD6A-8692736C5D13}.exe
C:\WINDOWS\system32\{5409DF7B-7343-4797-A555-5A26168D26D5}.exe
C:\WINDOWS\system32\{7596290F-62A1-429E-B952-70AE907B8C1C}.exe
C:\WINDOWS\system32\{0E7D2302-14A1-48DE-943E-1F7ECAA30F0C}.exe
C:\WINDOWS\system32\{183194EC-503C-4B3D-9F60-3E72F457C9B3}.exe
C:\WINDOWS\system32\{DBA862E2-261A-4BB7-A28B-ECE497CF0B5A}.exe
C:\WINDOWS\system32\{1ADF15D6-10A8-4B2C-BA76-2FE86D65A065}.exe
C:\WINDOWS\system32\{FC31CEEB-C17E-419E-90BC-1D6458FA0C3C}.exe
C:\WINDOWS\system32\{BDA817A7-AD1E-4207-9265-B65FF2F2C7F8}.exe
C:\WINDOWS\system32\{38916EE5-90AE-442E-B119-881D7DF945B8}.exe
C:\WINDOWS\system32\{EECDB8C7-43CC-481B-AEBF-C3B931B1C86A}.exe
C:\WINDOWS\system32\{AB701DEF-C6F7-42FE-998A-D6C28EC7A05C}.exe
C:\WINDOWS\system32\{ED1ABFB4-D26A-4CFE-B4B5-0D7DF1FB16F9}.exe
C:\WINDOWS\system32\{235832A6-DB48-4B6A-AE13-FCFD4C6B7589}.exe
C:\WINDOWS\system32\{6FADCDF0-60E6-4EC7-A42C-4537E8161515}.exe
C:\WINDOWS\system32\{41178DB0-2F0D-49DC-BF02-9A53925ECC8D}.exe
C:\WINDOWS\system32\{E42C9E4A-7341-4C58-A61A-76C6D8438084}.exe
C:\WINDOWS\system32\{1552AA62-DC82-4B2B-B4F9-9E75E0B09402}.exe
C:\WINDOWS\system32\{918F6ED6-278B-4D69-9FFD-9F618FB320E3}.exe
C:\WINDOWS\system32\{4BFE996F-1E81-4165-A748-3D5672182DD7}.exe
C:\WINDOWS\system32\{A6C44E48-C370-4F37-BE83-2E107D1CECCF}.exe
C:\WINDOWS\system32\{A2F286F0-1C9A-4F98-BDBE-5A63B43F1E1E}.exe
C:\WINDOWS\System32\CSENR.EXE

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Script file to execute" choose "Input Script Manually".
• Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
• Paste the text copied to clipboard into this window by pressing (Ctrl+V).
• Click Done
• Now click on the Green Light to begin execution of the script
• Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
• On reboot, it will briefly open a black command window on your desktop, this is normal.
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply

aikanaro

--- avenger.txt ---

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\sxfjbfwn

*******************

Script file located at: \??\C:\Program Files\oekxogfl.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\{57A669CD-1BCE-44AD-B8D1-69D8CBEF4388}.exe deleted successfully.
File C:\WINDOWS\system32\{87967219-E74F-4184-B2E0-E6DB0C6DE3BD}.exe deleted successfully.
File C:\WINDOWS\system32\{F135AFE1-D419-4ADF-A0FB-AF063C026CE2}.exe deleted successfully.
File C:\WINDOWS\system32\{B8AAB570-0527-4610-9CE8-A46879CE8BF9}.exe deleted successfully.
File C:\WINDOWS\system32\{80973220-300A-475D-870F-E4E273C4188C}.exe deleted successfully.
File C:\WINDOWS\system32\{A0848B57-792F-4A49-ACCE-3C2EED994E9A}.exe deleted successfully.
File C:\WINDOWS\system32\{42EF5668-9CA9-437A-82EB-C22FE8FB3DC4}.exe deleted successfully.
File C:\WINDOWS\system32\{7027203D-A455-47A4-95B2-D3DC05322340}.exe deleted successfully.
File C:\WINDOWS\system32\{0968032D-5783-41D6-9F04-20E980354308}.exe deleted successfully.
File C:\WINDOWS\system32\{D88357B0-8417-4625-AF1C-AAFD87FB89CC}.exe deleted successfully.
File C:\WINDOWS\system32\{67545A65-8DDD-4E77-B0A9-81D896588BC6}.exe deleted successfully.
File C:\WINDOWS\system32\{319A61E2-D34E-4C7E-B9C4-0F54512BE5DB}.exe deleted successfully.
File C:\WINDOWS\system32\{B283AB97-73EE-41BF-A706-C61BF31C67A7}.exe deleted successfully.
File C:\WINDOWS\system32\{117CF5B4-FBC7-480E-83E8-D1270F204F7A}.exe deleted successfully.
File C:\WINDOWS\system32\{B573C0C7-1445-45D2-8482-94B8B768C69E}.exe deleted successfully.
File C:\WINDOWS\system32\{81003B21-E66D-41C1-A8AA-C90E6CEC25A9}.exe deleted successfully.
File C:\WINDOWS\system32\{BA252534-E61A-49DF-AB35-7739EE954EDB}.exe deleted successfully.
File C:\WINDOWS\system32\{FE15A83D-81D8-4D77-86F5-AE4AE0F592AD}.exe deleted successfully.
File C:\WINDOWS\system32\{0751F4D9-32C5-4AC3-8674-C03CFCAF9A95}.exe deleted successfully.
File C:\WINDOWS\system32\{B8EB4621-E774-41E0-B815-ADB1581063A0}.exe deleted successfully.
File C:\WINDOWS\system32\{A0C0B239-22C7-43DD-9490-C62FA42A65F8}.exe deleted successfully.
File C:\WINDOWS\system32\{E360E55E-2398-4106-AD6A-8692736C5D13}.exe deleted successfully.
File C:\WINDOWS\system32\{5409DF7B-7343-4797-A555-5A26168D26D5}.exe deleted successfully.
File C:\WINDOWS\system32\{7596290F-62A1-429E-B952-70AE907B8C1C}.exe deleted successfully.
File C:\WINDOWS\system32\{0E7D2302-14A1-48DE-943E-1F7ECAA30F0C}.exe deleted successfully.
File C:\WINDOWS\system32\{183194EC-503C-4B3D-9F60-3E72F457C9B3}.exe deleted successfully.
File C:\WINDOWS\system32\{DBA862E2-261A-4BB7-A28B-ECE497CF0B5A}.exe deleted successfully.
File C:\WINDOWS\system32\{1ADF15D6-10A8-4B2C-BA76-2FE86D65A065}.exe deleted successfully.
File C:\WINDOWS\system32\{FC31CEEB-C17E-419E-90BC-1D6458FA0C3C}.exe deleted successfully.
File C:\WINDOWS\system32\{BDA817A7-AD1E-4207-9265-B65FF2F2C7F8}.exe deleted successfully.
File C:\WINDOWS\system32\{38916EE5-90AE-442E-B119-881D7DF945B8}.exe deleted successfully.
File C:\WINDOWS\system32\{EECDB8C7-43CC-481B-AEBF-C3B931B1C86A}.exe deleted successfully.
File C:\WINDOWS\system32\{AB701DEF-C6F7-42FE-998A-D6C28EC7A05C}.exe deleted successfully.
File C:\WINDOWS\system32\{ED1ABFB4-D26A-4CFE-B4B5-0D7DF1FB16F9}.exe deleted successfully.
File C:\WINDOWS\system32\{235832A6-DB48-4B6A-AE13-FCFD4C6B7589}.exe deleted successfully.
File C:\WINDOWS\system32\{6FADCDF0-60E6-4EC7-A42C-4537E8161515}.exe deleted successfully.
File C:\WINDOWS\system32\{41178DB0-2F0D-49DC-BF02-9A53925ECC8D}.exe deleted successfully.
File C:\WINDOWS\system32\{E42C9E4A-7341-4C58-A61A-76C6D8438084}.exe deleted successfully.
File C:\WINDOWS\system32\{1552AA62-DC82-4B2B-B4F9-9E75E0B09402}.exe deleted successfully.
File C:\WINDOWS\system32\{918F6ED6-278B-4D69-9FFD-9F618FB320E3}.exe deleted successfully.
File C:\WINDOWS\system32\{4BFE996F-1E81-4165-A748-3D5672182DD7}.exe deleted successfully.
File C:\WINDOWS\system32\{A6C44E48-C370-4F37-BE83-2E107D1CECCF}.exe deleted successfully.
File C:\WINDOWS\system32\{A2F286F0-1C9A-4F98-BDBE-5A63B43F1E1E}.exe deleted successfully.
File C:\WINDOWS\System32\CSENR.EXE deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


--- HighjackThis ---

Logfile of HijackThis v1.99.1
Scan saved at 22:53:12, on 26-07-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programs\Intel\Wireless\Bin\EvtEng.exe
C:\Programs\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programs\Alwil Software\Avast4\aswUpdSv.exe
C:\Programs\Alwil Software\Avast4\ashServ.exe
C:\Acer\Empowering Technology\admServ.exe
c:\Program Files\Software WIDCOMM\Bluetooth\bin\btwdins.exe
C:\Programs\ewido anti-spyware 4.0\guard.exe
C:\Programs\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programs\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Programs\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\Programs\VMware\VMware Player\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\Programs\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\Programs\Alwil Software\Avast4\ashMaiSv.exe
C:\Programs\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\acer\Empowering Technology\ePower\epm-dm.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Protector Suite QL\menusw.exe
C:\Acer\Empowering Technology\admtray.exe
C:\Programs\ALWILS~1\Avast4\ashDisp.exe
C:\Programs\iTunes\iTunesHelper.exe
C:\Program Files\Sun\Java\se\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Programs\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Acer\Soft Button\tabletpc.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Programs\Intel\Wireless\bin\ZCfgSvc.exe
C:\Programs\Intel\Wireless\Bin\ifrmewrk.exe
C:\Programs\Intel\Wireless\Bin\EOUWiz.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\vsnpstd.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Programs\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Software WIDCOMM\Bluetooth\BTTray.exe
C:\Programs\Process Explorer\procexp.exe
C:\Programs\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\notepad.exe
C:\Programs\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
R3 - URLSearchHook: (no name) - {30AB1105-1C2D-C192-DF5B-A83023DFCA2D} - runload32.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programs\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Sun\Java\se\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TabletWizard] C:\WINDOWS\help\SplshWrp.exe
O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [EPM-DM] c:\acer\Empowering Technology\ePower\epm-dm.exe
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Biomenu] "C:\Program Files\Protector Suite QL\menusw.exe"
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [avast!] C:\Programs\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programs\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Sun\Java\se\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programs\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [Snippet] "C:\Program Files\Microsoft Experience Pack\Snipping Tool\SnippingTool.exe" /i
O4 - HKLM\..\Run: [AcerSoftButton] C:\Acer\Soft Button\tabletpc.exe
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Programs\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Programs\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Programs\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [msag] PasswdMon.exe
O4 - HKLM\..\Run: [PasswdMon] TemplateDongle.exe
O4 - HKLM\..\Run: [yjwxn.exe] C:\WINDOWS\system32\yjwxn.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programs\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [br0ken] backorif.exe
O4 - HKCU\..\Run: [SetupExeDll] BoundRec.exe
O4 - HKCU\..\Run: [media64] Kargo.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Process Explorer.lnk = C:\Programs\Process Explorer\procexp.exe
O8 - Extra context menu item: &Sample Toolband Serach - res://C:\WINDOWS\system32\ToolBand.dll/MENUSEARCH.HTM
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Programs\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Programs\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://C:\Programs\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Programs\Free Download Manager\dllink.htm
O8 - Extra context menu item: Enviar para &Bluetooth - c:\Program Files\Software WIDCOMM\Bluetooth\btsendto_ie_ctx.htm
O8 - Extra context menu item: Open Link Target in Firefox - file://C:\Documents and Settings\aikanaro\Application Data\Mozilla\Firefox\Profiles\nnhgwmp3.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewlink.html
O8 - Extra context menu item: View This Page in Firefox - file://C:\Documents and Settings\aikanaro\Application Data\Mozilla\Firefox\Profiles\nnhgwmp3.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewpage.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Sun\Java\se\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Sun\Java\se\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1153766034203
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{36EF726F-DD14-4D90-92B2-C699A886C5D3}: NameServer = 85.255.113.197,85.255.112.128
O17 - HKLM\System\CCS\Services\Tcpip\..\{B7BB3107-017C-40B9-8F5F-7F4DAE19D49A}: NameServer = 85.255.113.197,85.255.112.128
O17 - HKLM\System\CCS\Services\Tcpip\..\{B9DF1644-5D3C-4F33-B712-C0AFDD3D636F}: NameServer = 85.255.113.197,85.255.112.128
O17 - HKLM\System\CCS\Services\Tcpip\..\{C26F2C22-63B8-47B9-A0AB-D97AD307A033}: NameServer = 85.255.113.197,85.255.112.128
O17 - HKLM\System\CCS\Services\Tcpip\..\{CB2C5266-B741-42CF-83F7-B306B5AEAEFF}: NameServer = 85.255.113.197,85.255.112.128
O17 - HKLM\System\CCS\Services\Tcpip\..\{E49EA1C9-B839-4C55-9515-94F3B4F03638}: NameServer = 85.255.113.197,85.255.112.128
O17 - HKLM\System\CCS\Services\Tcpip\..\{F11DA4ED-791C-4ACC-922C-C69892D92746}: NameServer = 85.255.113.197,85.255.112.128
O17 - HKLM\System\CCS\Services\Tcpip\..\{FDD31529-9F9F-4C57-BC74-7340CE175EE6}: NameServer = 85.255.113.197,85.255.112.128
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.197 85.255.112.128
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.197 85.255.112.128
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.113.197 85.255.112.128
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.197 85.255.112.128
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: loginkey - C:\Program Files\Common Files\Microsoft Shared\Ink\loginkey.dll
O20 - Winlogon Notify: psfus - C:\WINDOWS\SYSTEM32\fusstub.dll
O20 - Winlogon Notify: TabBtnWL - C:\WINDOWS\SYSTEM32\TabBtnWL.dll
O20 - Winlogon Notify: tpgwlnotify - C:\WINDOWS\SYSTEM32\tpgwlnot.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programs\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programs\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programs\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programs\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - c:\Program Files\Software WIDCOMM\Bluetooth\bin\btwdins.exe
O23 - Service: CFGXGODSAJV - Sysinternals - www.sysinternals.com - C:\DOCUME~1\aikanaro\LOCALS~1\Temp\CFGXGODSAJV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programs\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programs\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Programs\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programs\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programs\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Programs\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

Crunchie

Please run fixwareout one more time, then do the following;

Unload Spybot's Teatimer before we begin. To do this can you start Spybot and go to Tools > Resident and uncheck the box next to Tea-Timer. Make sure that the icon in the system tray is no longer there. If it is, just right click on it and select "Exit". Do not forget to re-enable it when we are done .

===============

Scan with HiJackThis, then check(tick) the following, if present:


R3 - URLSearchHook: (no name) - {30AB1105-1C2D-C192-DF5B-A83023DFCA2D} - runload32.dll (file missing)

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [msag] PasswdMon.exe
O4 - HKLM\..\Run: [PasswdMon] TemplateDongle.exe
O4 - HKLM\..\Run: [yjwxn.exe] C:\WINDOWS\system32\yjwxn.exe
O4 - HKCU\..\Run: [br0ken] backorif.exe
O4 - HKCU\..\Run: [SetupExeDll] BoundRec.exe
O4 - HKCU\..\Run: [media64] Kargo.exe
O4 - Global Startup: BTTray.lnk = ?

O17 - HKLM\System\CCS\Services\Tcpip\..\{36EF726F-DD14-4D90-92B2-C699A886C5D3}: NameServer = 85.255.113.197,85.255.112.128
O17 - HKLM\System\CCS\Services\Tcpip\..\{B7BB3107-017C-40B9-8F5F-7F4DAE19D49A}: NameServer = 85.255.113.197,85.255.112.128
O17 - HKLM\System\CCS\Services\Tcpip\..\{B9DF1644-5D3C-4F33-B712-C0AFDD3D636F}: NameServer = 85.255.113.197,85.255.112.128
O17 - HKLM\System\CCS\Services\Tcpip\..\{C26F2C22-63B8-47B9-A0AB-D97AD307A033}: NameServer = 85.255.113.197,85.255.112.128
O17 - HKLM\System\CCS\Services\Tcpip\..\{CB2C5266-B741-42CF-83F7-B306B5AEAEFF}: NameServer = 85.255.113.197,85.255.112.128
O17 - HKLM\System\CCS\Services\Tcpip\..\{E49EA1C9-B839-4C55-9515-94F3B4F03638}: NameServer = 85.255.113.197,85.255.112.128
O17 - HKLM\System\CCS\Services\Tcpip\..\{F11DA4ED-791C-4ACC-922C-C69892D92746}: NameServer = 85.255.113.197,85.255.112.128
O17 - HKLM\System\CCS\Services\Tcpip\..\{FDD31529-9F9F-4C57-BC74-7340CE175EE6}: NameServer = 85.255.113.197,85.255.112.128
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.197 85.255.112.128
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.197 85.255.112.128
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.113.197 85.255.112.128
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.197 85.255.112.128
...(Verify that these ip addresses are for your isp's DNS Servers, if so, don't 'fix' these.)


Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:

files...

C:\WINDOWS\system32\yjwxn.exe

Search for...

ALCMTR.EXE
PasswdMon.exe
TemplateDongle.exe
backorif.exe
BoundRec.exe
Kargo.exe

...using "Start | Search...".

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode".

-

Reboot.

===============

After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.

aikanaro

Hi...I've just rebooted. TeaTimer restarted all on it's own and stopped a few registry changes. I'll post the log here so you can see for yourself it it is important or not. Also, 2 of the files you said to delete were found inside the Prefetch folder with a little different name. I also deleted them. Everything seems to be fine now...is there a way to be sure that this situation might be resolved?

--- TeaTimer ---

27-07-2006 11:46:33 Denied value "br0ken" (new data: "") deleted in System Startup user entry!
27-07-2006 11:46:33 Denied value "SetupExeDll" (new data: "") deleted in System Startup user entry!
27-07-2006 11:46:33 Denied value "media64" (new data: "") deleted in System Startup user entry!
27-07-2006 11:47:39 Denied value "Alcmtr" (new data: "") deleted in System Startup global entry!
27-07-2006 11:47:39 Denied value "msag" (new data: "") deleted in System Startup global entry!
27-07-2006 11:47:39 Denied value "PasswdMon" (new data: "") deleted in System Startup global entry!
27-07-2006 11:47:39 Denied value "yjwxn.exe" (new data: "") deleted in System Startup global entry!
27-07-2006 11:47:39 Denied value "{30AB1105-1C2D-C192-DF5B-A83023DFCA2D}" (new data: "") deleted in Internet Explorer searches!


--- HijackThis ---

Logfile of HijackThis v1.99.1
Scan saved at 11:48:12, on 27-07-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programs\Intel\Wireless\Bin\EvtEng.exe
C:\Programs\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programs\Alwil Software\Avast4\aswUpdSv.exe
C:\Programs\Alwil Software\Avast4\ashServ.exe
C:\Acer\Empowering Technology\admServ.exe
c:\Program Files\Software WIDCOMM\Bluetooth\bin\btwdins.exe
C:\Programs\ewido anti-spyware 4.0\guard.exe
C:\Programs\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programs\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\tabbtnu.exe
C:\Programs\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programs\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\Programs\VMware\VMware Player\vmware-authd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Programs\Alwil Software\Avast4\ashMaiSv.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\acer\Empowering Technology\ePower\epm-dm.exe
C:\Programs\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Protector Suite QL\menusw.exe
C:\Acer\Empowering Technology\admtray.exe
C:\Programs\ALWILS~1\Avast4\ashDisp.exe
C:\Programs\iTunes\iTunesHelper.exe
C:\Program Files\Sun\Java\se\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Programs\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Acer\Soft Button\tabletpc.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Programs\Intel\Wireless\bin\ZCfgSvc.exe
C:\Programs\Intel\Wireless\Bin\ifrmewrk.exe
C:\Programs\Intel\Wireless\Bin\EOUWiz.exe
C:\WINDOWS\vsnpstd.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Programs\Spybot - Search & Destroy\TeaTimer.exe
C:\Programs\Process Explorer\procexp.exe
C:\Programs\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Programs\HijackThis\HijackThis.exe

R3 - URLSearchHook: (no name) - {30AB1105-1C2D-C192-DF5B-A83023DFCA2D} - runload32.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programs\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Sun\Java\se\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TabletWizard] C:\WINDOWS\help\SplshWrp.exe
O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [EPM-DM] c:\acer\Empowering Technology\ePower\epm-dm.exe
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Biomenu] "C:\Program Files\Protector Suite QL\menusw.exe"
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [avast!] C:\Programs\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programs\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Sun\Java\se\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programs\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [Snippet] "C:\Program Files\Microsoft Experience Pack\Snipping Tool\SnippingTool.exe" /i
O4 - HKLM\..\Run: [AcerSoftButton] C:\Acer\Soft Button\tabletpc.exe
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Programs\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Programs\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Programs\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [msag] PasswdMon.exe
O4 - HKLM\..\Run: [PasswdMon] TemplateDongle.exe
O4 - HKLM\..\Run: [yjwxn.exe] C:\WINDOWS\system32\yjwxn.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programs\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [br0ken] backorif.exe
O4 - HKCU\..\Run: [SetupExeDll] BoundRec.exe
O4 - HKCU\..\Run: [media64] Kargo.exe
O4 - Global Startup: Process Explorer.lnk = C:\Programs\Process Explorer\procexp.exe
O8 - Extra context menu item: &Sample Toolband Serach - res://C:\WINDOWS\system32\ToolBand.dll/MENUSEARCH.HTM
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Programs\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Programs\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://C:\Programs\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Programs\Free Download Manager\dllink.htm
O8 - Extra context menu item: Enviar para &Bluetooth - c:\Program Files\Software WIDCOMM\Bluetooth\btsendto_ie_ctx.htm
O8 - Extra context menu item: Open Link Target in Firefox - file://C:\Documents and Settings\aikanaro\Application Data\Mozilla\Firefox\Profiles\nnhgwmp3.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewlink.html
O8 - Extra context menu item: View This Page in Firefox - file://C:\Documents and Settings\aikanaro\Application Data\Mozilla\Firefox\Profiles\nnhgwmp3.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewpage.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Sun\Java\se\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Sun\Java\se\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1153766034203
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: loginkey - C:\Program Files\Common Files\Microsoft Shared\Ink\loginkey.dll
O20 - Winlogon Notify: psfus - C:\WINDOWS\SYSTEM32\fusstub.dll
O20 - Winlogon Notify: TabBtnWL - C:\WINDOWS\SYSTEM32\TabBtnWL.dll
O20 - Winlogon Notify: tpgwlnotify - C:\WINDOWS\SYSTEM32\tpgwlnot.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programs\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programs\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programs\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programs\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - c:\Program Files\Software WIDCOMM\Bluetooth\bin\btwdins.exe
O23 - Service: CFGXGODSAJV - Sysinternals - www.sysinternals.com - C:\DOCUME~1\aikanaro\LOCALS~1\Temp\CFGXGODSAJV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programs\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programs\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Programs\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programs\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programs\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Programs\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

Crunchie

Try it like this;

Disable Spybot's Teatimer again.
Download ResetTeaTimer.bat.
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.
Do not forget to re-enable teatimer when we are done .
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

===============

Scan with HiJackThis, then check(tick) the following, if present:


R3 - URLSearchHook: (no name) - {30AB1105-1C2D-C192-DF5B-A83023DFCA2D} - runload32.dll (file missing)

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [msag] PasswdMon.exe
O4 - HKLM\..\Run: [PasswdMon] TemplateDongle.exe
O4 - HKLM\..\Run: [yjwxn.exe] C:\WINDOWS\system32\yjwxn.exe
O4 - HKCU\..\Run: [br0ken] backorif.exe
O4 - HKCU\..\Run: [SetupExeDll] BoundRec.exe
O4 - HKCU\..\Run: [media64] Kargo.exe


Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:

files...

C:\WINDOWS\system32\yjwxn.exe

Search for...

ALCMTR.EXE
PasswdMon.exe
TemplateDongle.exe
backorif.exe
BoundRec.exe
Kargo.exe

...using "Start | Search...".

They probably do not exist as you have already deleted them, but we just need to be sure .

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode".

-

Reboot.

===============

After rebooting, rescan with hijackthis and check for all those entries above. If any exist you will have to uninstall Spybot, run the bat file again, redo the hijackthis fix and reboot again. If they successfully depart, you can then reinstall Spybot.

aikanaro

I did it all as you told me. I think I don't have anything left but I would like to ask if there is a way of making sure that it is really all gone.

I'll post the log of HijackThis after rebooting (I didn't have to uninstall spybot as it didn't start with windows start). Also, at this time I've re-enabled TeaTimer.


--- HijackThis log --- (TeaTimer not yet running)

Logfile of HijackThis v1.99.1
Scan saved at 15:30:15, on 27-07-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programs\Intel\Wireless\Bin\EvtEng.exe
C:\Programs\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programs\Alwil Software\Avast4\aswUpdSv.exe
C:\Programs\Alwil Software\Avast4\ashServ.exe
C:\Acer\Empowering Technology\admServ.exe
c:\Program Files\Software WIDCOMM\Bluetooth\bin\btwdins.exe
C:\Programs\ewido anti-spyware 4.0\guard.exe
C:\Programs\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programs\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Programs\VMware\VMware Player\vmware-authd.exe
C:\WINDOWS\Explorer.EXE
C:\Programs\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programs\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\acer\Empowering Technology\ePower\epm-dm.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Protector Suite QL\menusw.exe
C:\Acer\Empowering Technology\admtray.exe
C:\Programs\ALWILS~1\Avast4\ashDisp.exe
C:\Programs\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Sun\Java\se\jre1.5.0_06\bin\jusched.exe
C:\Programs\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Programs\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Acer\Soft Button\tabletpc.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Programs\Intel\Wireless\bin\ZCfgSvc.exe
C:\Programs\Intel\Wireless\Bin\ifrmewrk.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Programs\Intel\Wireless\Bin\EOUWiz.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\vsnpstd.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Programs\Process Explorer\procexp.exe
C:\Programs\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Programs\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programs\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Sun\Java\se\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TabletWizard] C:\WINDOWS\help\SplshWrp.exe
O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [EPM-DM] c:\acer\Empowering Technology\ePower\epm-dm.exe
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Biomenu] "C:\Program Files\Protector Suite QL\menusw.exe"
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [avast!] C:\Programs\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programs\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Sun\Java\se\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programs\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [Snippet] "C:\Program Files\Microsoft Experience Pack\Snipping Tool\SnippingTool.exe" /i
O4 - HKLM\..\Run: [AcerSoftButton] C:\Acer\Soft Button\tabletpc.exe
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Programs\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Programs\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Programs\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - Global Startup: Process Explorer.lnk = C:\Programs\Process Explorer\procexp.exe
O8 - Extra context menu item: &Sample Toolband Serach - res://C:\WINDOWS\system32\ToolBand.dll/MENUSEARCH.HTM
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Programs\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Programs\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://C:\Programs\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Programs\Free Download Manager\dllink.htm
O8 - Extra context menu item: Enviar para &Bluetooth - c:\Program Files\Software WIDCOMM\Bluetooth\btsendto_ie_ctx.htm
O8 - Extra context menu item: Open Link Target in Firefox - file://C:\Documents and Settings\aikanaro\Application Data\Mozilla\Firefox\Profiles\nnhgwmp3.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewlink.html
O8 - Extra context menu item: View This Page in Firefox - file://C:\Documents and Settings\aikanaro\Application Data\Mozilla\Firefox\Profiles\nnhgwmp3.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewpage.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Sun\Java\se\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Sun\Java\se\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1153766034203
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: loginkey - C:\Program Files\Common Files\Microsoft Shared\Ink\loginkey.dll
O20 - Winlogon Notify: psfus - C:\WINDOWS\SYSTEM32\fusstub.dll
O20 - Winlogon Notify: TabBtnWL - C:\WINDOWS\SYSTEM32\TabBtnWL.dll
O20 - Winlogon Notify: tpgwlnotify - C:\WINDOWS\SYSTEM32\tpgwlnot.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programs\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programs\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programs\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programs\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - c:\Program Files\Software WIDCOMM\Bluetooth\bin\btwdins.exe
O23 - Service: CFGXGODSAJV - Sysinternals - www.sysinternals.com - C:\DOCUME~1\aikanaro\LOCALS~1\Temp\CFGXGODSAJV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programs\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programs\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Programs\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programs\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programs\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Programs\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

Crunchie

It all looks good to me now . If none of those files I asked you to remove are on your PC, you can assume you are now clean . You can if you wish, do some online scans?


BitDefender Free Online Virus Scan
http://www.bitdefender.com/scan/licence.php

Panda ActiveScan
http://www.pandasoftware.com/activescan/com/activescan_principal.htm

Housecall at TrendMicro
http://housecall60.trendmicro.com/en/start_corp.asp?id=scan

eTrust Antivirus Web Scanner
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

Also run this online trojan scanner

TrojanScan

aikanaro

Thanks for all your help.

What do you advise to prevent other problems of the same kind?

Crunchie

Now that your PC is clean you need to follow these easy steps to keeping it this way:

Secure your Internet Explorer by going here and following the instructions there.

Better yet, use an alternative browser! Download FireFox and give it a run. It is far more secure than Internet Explorer. Or, you can get Opera which in my opinion, is better still.

Use a firewall to help prevent your PC's control being usurped by undesireables. There is a link to a good, free firewall in my signature.

Install and keep updated, Ewido anti-malware, Ad-Aware SE and Spybot S&D.
Run them both on a regular basis, following the manufacturer's recommendations.

Install an anti-virus. There are some good, free AV's available today. Make sure that it is updated regularly and have it scan your system often.

Check for Windows Updates. Microsoft regularly post updates for your systems safe running. Make sure to take advantage of this. Reboot when installed and return to make sure there are no others.


Clear your Temp folders.
Clear out your Temporary internet files and other temp files.
Go to Start > Settings > Control Panel >Internet Options.
Under the General tab click the Delete temporary internet files,
delete all Offline content as well. Clear out Cookies.

Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.

Empty/delete the entire contents of the C:\Windows\temp folder and C:\temp folder, if you have one. (Contents but not the folder itself.)

C:\Documents and Settings\username\Local Settings\Temp\

In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

Empty the Recycle Bin.

For XP users.
After something like this it is a good idea to Flush the Restore Points and start fresh.
To flush the XP system Restore Points.

Go to Start>Run and type msconfig. Press enter.

When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings link on the left.

Check the box labelled 'Turn off System restore'.

Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.

Note that all previous restore points will be lost.

===============

If you have any more problems, post back.

-

Happy surfing,

crunchie.

aikanaro

Thanks for the pointer and again thanks for all your help.

Crunchie

You are welcome .

This thread is now closed. If you need it reopened, please send a PM to one of our Mods.

Include the link to the thread and detail why you need it reopened.

If this is not your thread please start a New Topic.