AfterDawn Forums

Trojan Downloader and Trojan Vundo Please Please Help!!

This discussion thread has 16 messages.

#1
Hi, My PC seems to have trojan downloader and trojan vundo. I have tried following other threads and various removal programs but seem to be going around and around in circles! Im not the most knowledgeable pc user in the world so i havent tried going into safe mode or anything like that or fixing anything in Hijackthis because i am aware that if you dont know what you are doing you could do more damage than good. However I have tried vundofix and AVG 8.0, Trojan remover, xsoft, and other common recomendations out there. These all run and say that the pc has no infections but then windows defender pops up saying it has detected it again! I did originally have norton running on the pc but the trojans seem to have come in regaurdless. I havent had then all running at the sametime, each time i have uninstalled the previous on before starting the next because i am aware that having more than one running can allow things to slip through. I have included a hijackthis log.

Please please help, this is driving me crazy!!
Thanx

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:37:36, on 01/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\Program Files\InterVideo\Common\Bin\WinRemote.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\NETGEAR\WG111T\wlan111t.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.skybroadband.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3...lion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sky.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3...lion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sky.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=4945
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided By Sky Broadband
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [WINREMOTE] "C:\Program Files\InterVideo\Common\Bin\WinRemote.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [MFESuiteSetup] F:\APPLIC~2\McAfee\setup.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Anti Trojan Elite] C:\Program Files\Anti Trojan Elite\TJEnder.exe :NO
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKCU\..\Run: [Boots Insert Detect] C:\Program Files\Boots F2CD\Picture Suite\InsDetect.exe
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupd...b?1178028262296
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8737 bytes
▼▼ This topic has 15 answers - they are below this advertisement ▼▼
AfterDawn Advertisement
#2
Hey RandiM

Please download Malwarebytes Anti-Malware and install it. Follow the prompts and reboot if required.

Launch Malwarebytes either by running C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe or double-click the Malwarebytes' Anti-Malware shortcut on your Desktop.

Configuring Malwarebytes

• Click on the tab Settings.
• Make sure only these boxes are checked:

Terminate Internet Explorer

Automatically save and display logfile after removal
Always scan memory objects
Always scan registry objects
Always scan filesystem
Always scan extra and heuristics objects

Updating Malwarebytes

• Click on the tab Update.
• Press the button Check for Updates
• Wait for Malwarebytes to be fully updated.

Scanning Time

• Click on the tab Scanner.
• Check Perform full scan and click on Scan
• Wait for the scan to complete, and then click on Show Results.
• Make sure all items are checked, then click on Remove Selected.
**If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If you are asked to restart the computer, please do so immediately.

Post A Log

• A text box will pop up after the removal process is over. Post the contents of the text here.
• If no text box pops up, launch Malwarebytes, and click on the tab Logs.
• The logs will appear as mbam-log-*date-*time.txt. Select the latest one, and then click on Open.
• Post the log here.

Best Regards :D

Life is but a dream; you dont feel any pain unless you want to or you fall off the bed.
Success is relative; the more success the more relatives.
A computer once beat me at chess, but it was no match for me at kickboxing.
To be or not to be; thats a dumb question.

#3
Thanx for your response, i am printing off and following your instructions now. I will post the log as soon as im done.

Thanx
RandiM
#4
Hi,

I have downloaded and installed the malwarebytes and followed your instructions. This downloaded and installed fine, however it wouldnt allow me to check for updates. It said that the firewall wouldnt allow it, I added this to my excetions list for the firewall and it still wouldnt allow it. I then turned off teh firewall protection altogether but still this didnt work. I have ran diagnose connection problems in the internet tools menu and it keeps coming up with the following message. Im not sure what this means or what im meant to do? Is this connected to the trojan problems?

Quote:
HTTP, HTTPS, FTP Diagnostic
HTTP, HTTPS, FTP connectivity

warn HTTP: Error 12007 connecting to www.microsoft.com: The server name or address could not be resolved
warn FTP (Passive): Error 12007 connecting to ftp.microsoft.com: The server name or address could not be resolved
warn HTTPS: Error 12007 connecting to www.passport.net: The server name or address could not be resolved
info HTTP: Successfully connected to www.hotmail.com.
warn FTP (Active): Error 12007 connecting to ftp.microsoft.com: The server name or address could not be resolved
info HTTPS: Successfully connected to www.microsoft.com.
error Could not make an FTP connection.




So i ran the malwarebytes scan without the updates and it produced the following log file. (but this is without checking for updates)

Malwarebytes' Anti-Malware 1.30
Database version: 1306
Windows 5.1.2600 Service Pack 3

03/12/2008 00:36:30
mbam-log-2008-12-03 (00-36-30).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|K:\|)
Objects scanned: 188432
Time elapsed: 53 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM4fee2e20.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM4fee2e20.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner\results.txt (Malware.Trace) -> Quarantined and deleted successfully.

Thanx
RandiM
#5
Hey RandiM

Sounds like the malware's blocking Malwarebytes from updating... we'll have to use another tool.

Now, please download ComboFix.
With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it. Save it to your Desktop.

Please disable all security programs, such as antiviruses, antispywares, and firewalls.

• Run Combo-Fix.exe and follow the prompts.
• Accept the End-User License Agreement.
• Allow the Recovery Console to be installed.
• When you see the window below, click on Yes.


• When the Recovery Console has been installed, click on Yes to start the scan.



**Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.
• Wait for the scan to be fully completed.
• If it requires a reboot, please do so.
• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

Do not click on the ComoboFix window, as it may cause it to stall.

Best Regards :D

Life is but a dream; you dont feel any pain unless you want to or you fall off the bed.
Success is relative; the more success the more relatives.
A computer once beat me at chess, but it was no match for me at kickboxing.
To be or not to be; thats a dumb question.

#6
Hi,

I have followed your instructions and ran combofix and it produced the following log:

ComboFix 08-12-02.02 - HP_Owner 2008-12-03 20:58:43.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.205 [GMT 0:00]
Running from: c:\documents and settings\HP_Owner\Desktop\Combo-Fix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\cpnwxgfd.ini
c:\windows\system32\dljklmxj.ini
c:\windows\system32\dohieqix.ini
c:\windows\system32\GMonVyay.ini
c:\windows\system32\GMonVyay.ini2
c:\windows\system32\gPAHOXbc.ini
c:\windows\system32\gPAHOXbc.ini2
c:\windows\system32\kydqftsn.ini
c:\windows\system32\mrwqadgu.ini
c:\windows\system32\psdjweej.ini
c:\windows\system32\qdswxbxi.ini
c:\windows\system32\tdxptecr.ini
c:\windows\system32\unbgwwql.ini
c:\windows\system32\utmprtem.ini
c:\windows\system32\vqoqphqb.ini
c:\windows\system32\wtcqweho.ini
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-11-03 to 2008-12-03 )))))))))))))))))))))))))))))))
.

2008-12-02 23:17 . 2008-12-02 23:17 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-02 23:17 . 2008-12-02 23:17 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\Malwarebytes
2008-12-02 23:17 . 2008-12-02 23:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-02 23:17 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-02 23:17 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-30 19:49 . 2008-11-30 19:49 <DIR> d-------- c:\windows\system32\scripting
2008-11-30 19:49 . 2008-11-30 19:49 <DIR> d-------- c:\windows\system32\bits
2008-11-30 19:49 . 2008-11-30 19:49 <DIR> d-------- c:\windows\l2schemas
2008-11-30 19:43 . 2008-11-30 19:50 <DIR> d-------- c:\windows\ServicePackFiles
2008-11-30 19:26 . 2008-11-30 19:26 <DIR> d-------- C:\VundoFix Backups
2008-11-30 19:24 . 2008-11-30 19:24 <DIR> d-------- c:\windows\EHome
2008-11-29 17:36 . 2006-05-25 15:52 162,304 --a------ c:\windows\system32\ztvunrar36.dll
2008-11-29 16:20 . 2004-08-03 22:41 1,041,536 --------- c:\windows\system32\drivers\hsfdpsp2.sys
2008-11-29 16:19 . 2008-04-14 00:11 1,888,992 --------- c:\windows\system32\ati3duag.dll
2008-11-29 16:03 . 2008-09-08 10:41 333,824 --------- c:\windows\system32\dllcache\srv.sys
2008-11-29 16:03 . 2008-08-14 10:04 138,496 --------- c:\windows\system32\dllcache\afd.sys
2008-11-29 16:02 . 2008-08-14 10:11 2,189,184 --------- c:\windows\system32\dllcache\ntoskrnl.exe
2008-11-29 16:02 . 2008-08-14 10:09 2,145,280 --------- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-11-29 16:02 . 2008-08-14 09:33 2,066,048 --------- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-11-29 16:02 . 2008-08-14 09:33 2,023,936 --------- c:\windows\system32\dllcache\ntkrpamp.exe
2008-11-29 16:02 . 2008-09-15 12:12 1,846,400 --------- c:\windows\system32\dllcache\win32k.sys
2008-11-29 16:01 . 2008-04-11 19:04 691,712 --------- c:\windows\system32\dllcache\inetcomm.dll
2008-11-29 16:01 . 2008-10-24 11:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-29 16:00 . 2008-10-15 16:34 337,408 --------- c:\windows\system32\dllcache\netapi32.dll
2008-11-28 22:39 . 2008-06-13 11:05 272,128 --------- c:\windows\system32\dllcache\bthport.sys
2008-11-28 22:39 . 2008-05-08 14:02 203,136 --------- c:\windows\system32\dllcache\rmcast.sys
2008-11-19 11:47 . 2008-11-19 13:33 <DIR> d-------- c:\documents and settings\joanne\Application Data\BitTorrent
2008-11-05 01:30 . 2008-11-29 17:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS
2008-11-05 01:29 . 2008-11-29 17:35 <DIR> d-------- c:\program files\NOS
2008-11-04 19:28 . 2008-11-04 19:28 <DIR> d-------- c:\program files\Bonjour

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-03 21:00 --------- d-----w c:\documents and settings\HP_Owner\Application Data\DNA
2008-12-03 20:44 --------- d-----w c:\documents and settings\HP_Owner\Application Data\BitTorrent
2008-12-03 20:40 --------- d-----w c:\program files\DNA
2008-11-30 20:57 --------- d-----w c:\program files\DivX
2008-11-30 20:50 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-30 19:55 77,824 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\WinVerifyTrust.dll
2008-11-28 22:55 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-28 22:08 --------- d-----w c:\documents and settings\HP_Owner\Application Data\Apple Computer
2008-11-14 19:29 --------- d-----w c:\program files\BitTorrent
2008-11-05 23:10 --------- d-----w c:\program files\XoftSpySE
2008-11-05 23:08 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-05 23:06 --------- d-----w c:\program files\Disney Interactive
2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx0c.dll
2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx07.dll
2008-10-28 22:35 815,104 ----a-w c:\windows\system32\divx_xx0a.dll
2008-10-28 22:35 802,816 ----a-w c:\windows\system32\divx_xx11.dll
2008-10-28 22:35 684,032 ----a-w c:\windows\system32\DivX.dll
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 14:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-03 17:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
2008-09-30 16:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-25 08:03 81,920 ----a-w c:\windows\system32\dpl100.dll
2008-09-25 08:03 593,920 ----a-w c:\windows\system32\dpuGUI11.dll
2008-09-25 08:03 57,344 ----a-w c:\windows\system32\dpv11.dll
2008-09-25 08:03 53,248 ----a-w c:\windows\system32\dpuGUI10.dll
2008-09-25 08:03 524,288 ----a-w c:\windows\system32\DivXsm.exe
2008-09-25 08:03 344,064 ----a-w c:\windows\system32\dpus11.dll
2008-09-25 08:03 294,912 ----a-w c:\windows\system32\dpu11.dll
2008-09-25 08:03 294,912 ----a-w c:\windows\system32\dpu10.dll
2008-09-25 08:03 196,608 ----a-w c:\windows\system32\dtu100.dll
2008-09-25 08:03 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe
2008-09-19 21:57 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll
2008-09-19 21:55 200,704 ----a-w c:\windows\system32\ssldivx.dll
2008-09-19 21:55 1,044,480 ----a-w c:\windows\system32\libdivx.dll
2008-09-19 21:54 12,288 ----a-w c:\windows\system32\DivXWMPExtType.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\dllcache\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\dllcache\msxml3.dll
2008-05-25 09:03 160 ----a-w c:\documents and settings\HP_Owner\Application Data\wklnhst.dat
2004-07-22 10:51 3,432,656 ----a-w c:\program files\ManagedDX.CAB
2004-07-19 22:58 1,156,363 ----a-w c:\program files\BDANT.cab
2004-07-19 22:53 976,020 ----a-w c:\program files\BDAXP.cab
2004-07-09 14:17 13,265,040 ----a-w c:\program files\dxnt.cab
2004-07-09 09:13 703,080 ----a-w c:\program files\BDA.cab
2004-07-09 09:13 15,493,481 ----a-w c:\program files\DirectX.cab
2004-07-09 04:08 472,576 ----a-w c:\program files\dxsetup.exe
2004-07-09 04:08 2,242,560 ----a-w c:\program files\dsetup32.dll
2004-07-09 03:03 62,976 ----a-w c:\program files\DSETUP.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NCLaunch"="c:\windows\NCLAUNCH.EXe" [2006-06-04 40960]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 153136]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-05 68856]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-11-13 342336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-02-24 5537792]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-01-02 180269]
"Home Theater SchSvr"="c:\program files\Common Files\InterVideo\SchSvr\SchSvr.exe" [2004-11-05 106496]
"WINREMOTE"="c:\program files\InterVideo\Common\Bin\WinRemote.exe" [2004-11-05 192512]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"PS2"="c:\windows\system32\ps2.exe" [2004-10-25 90112]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2004-12-14 663552]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 153136]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 c:\windows\system32\Hdaudpropshortcut.exe]
"nwiz"="nwiz.exe" [2005-02-24 c:\windows\system32\nwiz.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 c:\windows\AGRSMMSG.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-02-21 c:\windows\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2005-02-18 c:\windows\ALCWZRD.EXE]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 c:\windows\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-05 258048]
NETGEAR WG111T Smart Wizard.lnk - c:\program files\NETGEAR\WG111T\wlan111t.exe [2007-06-07 884840]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= c:\progra~1\ffdshow\ffdshow.ax

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

R3 Cap7134;ASUS TV7134 WDM Video Capture;c:\windows\system32\DRIVERS\Cap7134.sys [2005-01-02 335360]
R3 PhTVTune;ASUS WDM TV Tuner;c:\windows\system32\DRIVERS\PhTVTune.sys [2005-01-02 24544]
S3 AR5523;NETGEAR WG111T USB2.0 Wireless Card Service;c:\windows\system32\DRIVERS\WG11TND5.sys [2007-06-07 362944]
S3 ATE_PROCMON;ATE_PROCMON;\??\c:\program files\Anti Trojan Elite\ATEPMon.sys []
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;\??\c:\windows\system32\DNINDIS5.SYS [2007-04-13 17149]

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-12-03 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDetect.exe []
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Boots Insert Detect - c:\program files\Boots F2CD\Picture Suite\InsDetect.exe
HKLM-Run-MFESuiteSetup - f:\applic~2\McAfee\setup.exe
HKLM-Run-Anti Trojan Elite - c:\program files\Anti Trojan Elite\TJEnder.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\79sd00nx.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-03 21:01:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-03 21:03:16
ComboFix-quarantined-files.txt 2008-12-03 21:02:54

Pre-Run: 27,509,661,696 bytes free
Post-Run: 27,712,036,864 bytes free

221 --- E O F --- 2008-11-30 21:17:25


I havent a clue what any of that means! After following each set of your instructions my pc is speeding up massively. Im also finding the instructions really easy to follow so thank you.
I'll wait and see what you think i should do next.
Just want to say thanx for your halp so far!

Thanx
RandiM
#7
Hey RandiM

Can Malwarebytes update now? If not, please try using this manual update: http://www.gt500.org/malwarebytes/database.jsp

Do another scan and post the log here.

Also tell me how your's computer doing now.

Best Regards :D

Life is but a dream; you dont feel any pain unless you want to or you fall off the bed.
Success is relative; the more success the more relatives.
A computer once beat me at chess, but it was no match for me at kickboxing.
To be or not to be; thats a dumb question.

#8
Hi,

The update for malwarebytes went a little further this time, it connected to the internet and went 90% of the way through and then again came up with the same error, saying that i should tyrn off all firewalls (which the already are). So i followed your link and did the manual update, this has now worked (after the 3rd attempt) and the malwarebytes now says that i have the latest versioin of the database. I am running a scan and i will post the log as soon as its complete.

Thanx
RandiM
#9
Hi,

Apologies for not posting the malwarebytes log yesterday but I had a problem posting. I did run malwarebytes and attempt to post the log but it just kept freezing and saying please wait and not progressing anywhere. The log is as follows:

Malwarebytes' Anti-Malware 1.31
Database version: 1460
Windows 5.1.2600 Service Pack 3

04/12/2008 22:41:49
mbam-log-2008-12-04 (22-41-49).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|K:\|)
Objects scanned: 191253
Time elapsed: 46 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


As for an update on my PC; it is more than twice as fast now and running a lot lot better. When using inernet explorer before it would take at least 3 - 4 mins for it to open and after about 3 or 4 pages it would say it was unable to connect to the intenet. Now it opens within a few seconds and i am not having the loss of connection(yesterdays problem posting excluded!)

Thanx
RandiM
#10
Hey RandiM

Please post a new HijackThis log for me to see.

Best Regards :D

Life is but a dream; you dont feel any pain unless you want to or you fall off the bed.
Success is relative; the more success the more relatives.
A computer once beat me at chess, but it was no match for me at kickboxing.
To be or not to be; thats a dumb question.

#11
Hi, the hijackthis log file is as follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:00:28, on 06/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\Program Files\InterVideo\Common\Bin\WinRemote.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\NETGEAR\WG111T\wlan111t.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3...lion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sky.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sky.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=4945
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [WINREMOTE] "C:\Program Files\InterVideo\Common\Bin\WinRemote.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupd...b?1178028262296
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8137 bytes


Is it looking clear now?

Thanx
RandiM
#12
Hey RandiM

You look clean! Enjoy!

Best Regards :D

Life is but a dream; you dont feel any pain unless you want to or you fall off the bed.
Success is relative; the more success the more relatives.
A computer once beat me at chess, but it was no match for me at kickboxing.
To be or not to be; thats a dumb question.

#13
Hi,

Thanx so much for your help!

What anti virus and spy ware protection would you recommed?

I had norton before because it was already put on my pc when i bought it and that was menat to be protecting my pc when i got the trojans!

Thanx
RandiM
#14
Hey RandiM

I would recommend Antivir, Superantispyware, Malwarebytes, Comodo Firewall, and SpywareBlaster. There are other tools you can use too, but these are the most basic.

Best Regards :D

Life is but a dream; you dont feel any pain unless you want to or you fall off the bed.
Success is relative; the more success the more relatives.
A computer once beat me at chess, but it was no match for me at kickboxing.
To be or not to be; thats a dumb question.

#15
Hi,

Thanx I'll try these out. Am I OK to have these all on my pc at once? I have heard before that sometimes it can be a bad thing having too many security packages on at once because they can confuse each other? Is this try or is it told rubbish?

Thanx
RandiM
#16
hi guys i'm in the sh*t also with a trojan vundo.
i know virtually nothing about computers.Is there an easy fix for this virusor should get somebody to help me?

Eamo's Library - http://eko.4shared.com/
This discussion thread has been automatically closed, as it hasn't received any new posts during the last 180 days. This means that you can't post replies or new questions to this discussion thread.

If you have something to add to this topic, use this page to post your question or comments to a new discussion thread.