Member Avatar for Yevdokiya

Hi,
a week ago I was attacked by all kinds of garbage. I've gotten rid of the bogus malware removers and gotten my control panel back but I still get random pop-ups in IE while I am surfing, even with Mozilla, and then my computer will start running very slow. I have Windows Defender, it keeps finding the same trojans and can't seem to remove them. Here is a HijackThis logfile. I would really appreciate it if someone could help me clean up my poor computer for good! Thanks!!

Logfile of HijackThis v1.99.1
Scan saved at 9:21:58 PM, on 12/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Debra Stanley\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=374
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

  • 2 Contributors
  • 16 Replies
  • 121 Views
  • 1 Week Discussion Span
  • Latest Post Latest Post by crunchie

Recommended Answers

All 16 Replies

Member Avatar for crunchie

Hi and welcome to Daniweb forums :).

Viewpoint Manager is considered to be foistware, rather than malware, since it is installed without users approval, but doesn't spy or do anything "bad". Please read this article: http://www.clickz.com/news/article.php/3561546
I suggest that you remove the program. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
Viewpoint
Viewpoint Manager
Viewpoint Media Player

====

Download the newest version of HiJackThis; version 2.0.2. Place it in a permanent folder before scanning. Repost your log after following the steps below. This version has features that might be more helpful in 'cleaning' up your system.

===============

Member Avatar for Yevdokiya

Thanks so much for your help... here is the Combofix log, followed by the HijackThis log. I did not yet run the catchme folder that appeared after Combofix ran.

ComboFix 07-12-09.1 - Debra Stanley 2007-12-11 20:26:38.5 - NTFSx86
Running from: C:\Documents and Settings\Debra Stanley\Desktop\ComboFix.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\All Users\Application Data.\zkzupmrs.dll
C:\Documents and Settings\Debra Stanley\Application Data\MBOLS~1
C:\Documents and Settings\Debra Stanley\Application Data\MBOLS~1\??mbols\
C:\Documents and Settings\Debra Stanley\Application Data\trant.exe
C:\Documents and Settings\NetworkService\Application Data\NetMon
C:\Documents and Settings\NetworkService\Application Data\NetMon\domains.txt
C:\Documents and Settings\NetworkService\Application Data\NetMon\log.txt
C:\Program Files\SecCenter
C:\Program Files\SecCenter\scprot4.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\msettings.ini
C:\WINDOWS\system32\advxeojt.dll
C:\WINDOWS\system32\anfukwor.dll
C:\WINDOWS\system32\bisxpsbm.dll
C:\WINDOWS\system32\caxttrxo.ini
C:\WINDOWS\system32\cqgfnskl.dll
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\drvgodr.dll
C:\WINDOWS\system32\efqyxgfa.dll
C:\WINDOWS\system32\euzhzfnc.dllbox
C:\WINDOWS\system32\lcxxvikh.dll
C:\WINDOWS\system32\ldinfo.ldr
C:\WINDOWS\system32\lksnfgqc.ini
C:\WINDOWS\system32\nvtpmumj.dll
C:\WINDOWS\system32\oxrttxac.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\skjlrsjp
C:\WINDOWS\system32\skjlrsjp\bg1.gif
C:\WINDOWS\system32\skjlrsjp\bgtop.gif
C:\WINDOWS\system32\skjlrsjp\bottom1.gif
C:\WINDOWS\system32\skjlrsjp\essentials.gif
C:\WINDOWS\system32\skjlrsjp\icon1.ico
C:\WINDOWS\system32\skjlrsjp\install1.gif
C:\WINDOWS\system32\skjlrsjp\left1.gif
C:\WINDOWS\system32\skjlrsjp\li.gif
C:\WINDOWS\system32\skjlrsjp\logo.gif
C:\WINDOWS\system32\skjlrsjp\main.htm
C:\WINDOWS\system32\skjlrsjp\mainframe.htm
C:\WINDOWS\system32\skjlrsjp\reinstall1.gif
C:\WINDOWS\system32\skjlrsjp\right1.gif
C:\WINDOWS\system32\skjlrsjp\s1.htm
C:\WINDOWS\system32\skjlrsjp\s2.htm
C:\WINDOWS\system32\skjlrsjp\s3.htm
C:\WINDOWS\system32\skjlrsjp\skjlrsjp1.exe
C:\WINDOWS\system32\skjlrsjp\skjlrsjp2.exe
C:\WINDOWS\system32\skjlrsjp\SMTop1.gif
C:\WINDOWS\system32\skjlrsjp\SMTop2.gif
C:\WINDOWS\system32\skjlrsjp\SMTop3.gif
C:\WINDOWS\system32\skjlrsjp\SMTop4.gif
C:\WINDOWS\system32\skjlrsjp\soft1_off.gif
C:\WINDOWS\system32\skjlrsjp\soft1_off_ext.gif
C:\WINDOWS\system32\skjlrsjp\soft1_on.gif
C:\WINDOWS\system32\skjlrsjp\soft1_on_ext.gif
C:\WINDOWS\system32\skjlrsjp\soft2_off.gif
C:\WINDOWS\system32\skjlrsjp\soft2_off_ext.gif
C:\WINDOWS\system32\skjlrsjp\soft2_on.gif
C:\WINDOWS\system32\skjlrsjp\soft2_on_ext.gif
C:\WINDOWS\system32\skjlrsjp\soft3_off.gif
C:\WINDOWS\system32\skjlrsjp\soft3_off_ext.gif
C:\WINDOWS\system32\skjlrsjp\soft3_on.gif
C:\WINDOWS\system32\skjlrsjp\soft3_on_ext.gif
C:\WINDOWS\system32\skjlrsjp\softbottom_off.gif
C:\WINDOWS\system32\skjlrsjp\softbottom_on.gif
C:\WINDOWS\system32\skjlrsjp\softleft_off.gif
C:\WINDOWS\system32\skjlrsjp\softleft_on.gif
C:\WINDOWS\system32\skjlrsjp\top1.gif
C:\WINDOWS\system32\skjlrsjp\top2.gif
C:\WINDOWS\system32\skjlrsjp\turnoff1.gif
C:\WINDOWS\system32\skjlrsjp\turnon1.gif
C:\WINDOWS\system32\tkgvovgu.ini
C:\WINDOWS\system32\tvwvw.ini
C:\WINDOWS\system32\tvwvw.ini2
C:\WINDOWS\system32\ugvovgkt.dll
C:\WINDOWS\system32\wvwvt.dll
C:\WINDOWS\system32\xhdrqhth.dll
C:\WINDOWS\system32\xxyyyxx.dll
C:\WINDOWS\uninst2.htm
C:\WINDOWS\unist1.htm

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\core
-------\DomainService






(((((((((((((((((((((((((   Files Created from 2007-11-11 to 2007-12-11  )))))))))))))))))))))))))))))))
.

2007-12-11 18:19 . 2007-12-11 18:19 401,720 --a------   C:\Program Files\HiJackThis.exe
2007-12-10 20:45 . 2007-12-10 20:45 74,304  --a------   C:\WINDOWS\system32\jvinicob.exe
2007-12-10 02:30 . 2007-12-03 05:41 102,664 --a------   C:\WINDOWS\system32\drivers\tmcomm.sys
2007-12-09 20:44 . 2007-12-10 20:45 859,184 --ahs----   C:\WINDOWS\system32\cmeqelvm.ini
2007-12-08 20:12 . 2007-12-09 20:45 834,220 --ahs----   C:\WINDOWS\system32\woxpqbev.ini
2007-12-08 20:05 . 2007-12-08 20:05 <DIR>    d--hs----   C:\WINDOWS\ftpcache
2007-12-08 20:05 . 2007-12-08 20:05 <DIR>    d--------   C:\Program Files\Free
2007-12-06 05:48 . 2007-12-06 05:48 74,304  --a------   C:\WINDOWS\system32\iltkqfvh.exe
2007-12-05 06:09 . 2007-12-05 06:20 <DIR>    d--------   C:\Program Files\Windows Live Safety Center
2007-12-04 00:57 . 2007-12-04 01:08 793,998 --ahs----   C:\WINDOWS\system32\hxlcdgvh.ini
2007-12-03 21:41 . 2007-12-03 21:53 1,374   --a------   C:\WINDOWS\imsins.BAK
2007-12-03 21:13 . 2007-08-20 11:04 6,058,496   -----c---   C:\WINDOWS\system32\dllcache\ieframe.dll
2007-12-03 21:13 . 2007-04-17 10:32 2,455,488   -----c---   C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-12-03 21:13 . 2007-03-08 06:10 991,232 -----c---   C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-12-03 21:13 . 2007-08-20 11:04 459,264 -----c---   C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-12-03 21:13 . 2007-08-20 11:04 383,488 -----c---   C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-12-03 21:13 . 2007-08-20 11:04 267,776 -----c---   C:\WINDOWS\system32\dllcache\iertutil.dll
2007-12-03 21:13 . 2007-08-20 11:04 63,488  -----c---   C:\WINDOWS\system32\dllcache\icardie.dll
2007-12-03 21:13 . 2007-08-20 11:04 52,224  -----c---   C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-12-03 21:13 . 2007-08-17 11:20 13,824  -----c---   C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-12-03 05:59 . 2007-12-03 08:24 <DIR>    d--------   C:\WINDOWS\BDOSCAN8
2007-12-03 05:41 . 2007-12-10 02:32 <DIR>    d--------   C:\Documents and Settings\Debra Stanley\.housecall6.6
2007-12-03 04:23 . 2007-12-03 04:51 23,072  --a------   C:\Documents and Settings\Debra Stanley\Application Data\info.dat
2007-12-03 02:51 . 2007-12-03 02:51 793,664 --ahs----   C:\WINDOWS\system32\nljkylid.ini
2007-12-03 02:20 . 2007-12-03 02:21 <DIR>    d--------   C:\Program Files\RogueRemover FREE
2007-12-03 02:16 . 2007-12-03 03:17 3,226   --a------   C:\WINDOWS\system32\tmp.reg
2007-12-03 02:15 . 2007-09-06 05:22 289,144 --a------   C:\WINDOWS\system32\VCCLSID.exe
2007-12-03 02:15 . 2006-04-27 22:49 288,417 --a------   C:\WINDOWS\system32\SrchSTS.exe
2007-12-03 02:15 . 2004-07-31 23:50 51,200  --a------   C:\WINDOWS\system32\dumphive.exe
2007-12-03 02:15 . 2007-10-04 05:36 25,600  --a------   C:\WINDOWS\system32\WS2Fix.exe
2007-12-02 05:22 . 2007-12-11 20:29 0   --a--c---   C:\WINDOWS\system.ini
2007-12-02 05:15 . 2007-12-02 05:15 <DIR>    d----c---   C:\Documents and Settings\All Users\Application Data\Rabio
2007-12-02 05:14 . 2007-12-02 05:18 <DIR>    d--------   C:\Program Files\Spruce
2007-12-02 04:06 . 2007-12-02 04:07 8,646,776   --a------   C:\Program Files\Windows-KB890830-V1.35.exe
2007-12-02 03:40 . 2007-12-09 23:52 143 --a------   C:\WINDOWS\system32\mcrh.tmp
2007-12-02 03:12 . 2007-12-02 03:13 <DIR>    d--------   C:\Program Files\Windows Defender
2007-12-02 03:04 . 2007-12-02 03:04 1,469,992   --a------   C:\Program Files\GenuineCheck.exe
2007-12-02 02:31 . 2007-12-03 19:55 <DIR>    d--------   C:\Program Files\Gqdzldlr
2007-12-02 02:30 . 2007-12-09 07:18 <DIR>    d--------   C:\Program Files\nurypety
2007-12-02 02:28 . 2007-12-03 08:22 <DIR>    d--------   C:\WINDOWS\system32\mm6
2007-12-02 02:28 . 2007-12-02 15:26 <DIR>    d--------   C:\WINDOWS\system32\hv2
2007-12-02 02:28 . 2007-12-02 08:04 <DIR>    d--------   C:\WINDOWS\system32\dr1
2007-12-02 02:28 . 2007-12-02 04:38 <DIR>    d--------   C:\WINDOWS\system32\daSgo02
2007-12-02 02:28 . 2007-12-02 08:04 <DIR>    d--hs----   C:\WINDOWS\RGVicmEgU3RhbmxleQ
2007-11-18 21:00 . 2007-11-18 21:00 1,156   --a------   C:\WINDOWS\mozver.dat
2007-11-17 19:40 . 2007-11-17 19:40 1,164,456   --a------   C:\Program Files\install_flash_player.exe
2007-11-16 23:25 . 2007-11-16 23:27 <DIR>    d--------   C:\Documents and Settings\Debra Stanley\Application Data\DivX
2007-11-16 23:21 . 2007-10-20 01:56 129,784 --a------   C:\WINDOWS\system32\pxafs.dll
2007-11-16 23:21 . 2007-10-20 01:56 120,056 --a------   C:\WINDOWS\system32\pxcpyi64.exe
2007-11-16 23:21 . 2007-10-20 01:56 118,520 --a------   C:\WINDOWS\system32\pxinsi64.exe
2007-11-16 23:21 . 2007-10-20 01:56 9,464   --a------   C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-11-16 23:21 . 2007-10-20 01:56 9,336   --a------   C:\WINDOWS\system32\drivers\cdr4_xp.sys

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-11 17:12    ---------   d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-12-11 17:06    ---------   d-----w C:\Program Files\Carpo
2007-12-02 02:10    5,154,304   ----a-w C:\Program Files\WindowsDefender.msi
2007-11-16 22:24    1,449   ----a-w C:\Program Files\DivX Movies.lnk
2007-11-16 22:24    ---------   d-----w C:\Program Files\DivX
2007-11-16 22:21    806 ----a-w C:\Program Files\DivX Converter.lnk
2007-11-11 20:17    ---------   d-----w C:\Program Files\Lexmark X1100 Series
2007-10-25 15:26    53,248  ----a-w C:\WINDOWS\bdoscandel.exe
2007-10-20 00:56    524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-10-20 00:56    43,528  ----a-w C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-10-20 00:56    3,596,288   ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-10-20 00:56    200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-10-20 00:56    1,044,480   ----a-w C:\WINDOWS\system32\libdivx.dll
2007-10-20 00:54    823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-10-20 00:54    823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-10-20 00:54    81,920  ----a-w C:\WINDOWS\system32\dpl100.dll
2007-10-20 00:54    802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-10-20 00:54    739,840 ----a-w C:\WINDOWS\system32\DivX.dll
2007-10-20 00:54    196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-10-18 09:06    156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-10-18 09:03    593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-10-18 09:03    57,344  ----a-w C:\WINDOWS\system32\dpv11.dll
2007-10-18 09:03    53,248  ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-10-18 09:03    344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-10-18 09:03    294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-10-18 09:03    294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-10-18 09:02    12,288  ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-10-17 21:24    ---------   d-----w C:\Documents and Settings\Debra Stanley\Application Data\Talkback
2007-07-15 14:05    59,376  ----a-w C:\Documents and Settings\Debra Stanley\Application Data\GDIPFONTCACHEV1.DAT
.

(((((((((((((((((((((((((((((((((((((((((((((   AWF   ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{46CB938B-FE90-49A8-977F-6A96A16577D5}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54DE7259-C729-45B1-BBD8-4BE9B5BD8248}]
2007-11-29 16:28    401408  --a------   C:\Program Files\Spruce\Spruce.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{62780D18-D103-03D3-323A-01F43008B839}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{87B3CF62-EC65-4135-9399-324F09E44130}]
            C:\WINDOWS\system32\wvwvt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 13:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 13:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 13:00]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 16:17]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 15:51]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-04 01:20]
"combofix"="C:\WINDOWS\system32\cmd.exe" [2004-08-04 13:00]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 22:38]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\euzhzfnc]
euzhzfnc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winayt32]
winayt32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyyyxx]
xxyyyxx.dll

S3 ne2000;Novell/Eagle NE2000 Adapter Driver;C:\WINDOWS\system32\DRIVERS\ne2000.sys

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
tapisrv REG_MULTI_SZ    Tapisrv

.
Contents of the 'Scheduled Tasks' folder
"2007-11-03 12:58:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-11 02:00:00 C:\WINDOWS\Tasks\At100.job"
- C:\WINDOWS\system32\winmds.exe
"2007-12-11 03:00:00 C:\WINDOWS\Tasks\At101.job"
- C:\WINDOWS\system32\winmds.exe
"2007-12-09 04:00:03 C:\WINDOWS\Tasks\At102.job"
- C:\WINDOWS\system32\winmds.exe
"2007-12-09 05:00:03 C:\WINDOWS\Tasks\At103.job"
- C:\WINDOWS\system32\winmds.exe
"2007-12-09 06:00:07 C:\WINDOWS\Tasks\At104.job"
- C:\WINDOWS\system32\winmds.exe
"2007-12-05 13:00:00 C:\WINDOWS\Tasks\At105.job"
- C:\WINDOWS\system32\winmds.exe
"2007-12-05 14:00:00 C:\WINDOWS\Tasks\At106.job"
- C:\WINDOWS\system32\winmds.exe
"2007-12-05 15:00:00 C:\WINDOWS\Tasks\At107.job"
- C:\WINDOWS\system32\winmds.exe
"2007-12-06 16:00:00 C:\WINDOWS\Tasks\At108.job"
- C:\WINDOWS\system32\winmds.exe
"2007-12-05 17:00:01 C:\WINDOWS\Tasks\At109.job"
- C:\WINDOWS\system32\winmds.exe
"2007-12-05 18:00:00 C:\WINDOWS\Tasks\At110.job"
- C:\WINDOWS\system32\winmds.exe
"2007-12-05 19:00:01 C:\WINDOWS\Tasks\At111.job"
- C:\WINDOWS\system32\winmds.exe
"2007-12-11 14:00:00 C:\WINDOWS\Tasks\At112.job"
- C:\WINDOWS\system32\winmds.exe
"2007-12-11 15:00:00 C:\WINDOWS\Tasks\At113.job"
- C:\WINDOWS\system32\winmds.exe
"2007-12-03 22:00:01 C:\WINDOWS\Tasks\At114.job"
- C:\WINDOWS\system32\winmds.exe
"2007-12-11 17:00:00 C:\WINDOWS\Tasks\At115.job"
- C:\WINDOWS\system32\winmds.exe
"2007-12-11 18:00:00 C:\WINDOWS\Tasks\At116.job"
- C:\WINDOWS\system32\winmds.exe
"2007-12-11 19:00:00 C:\WINDOWS\Tasks\At117.job"
- C:\WINDOWS\system32\winmds.exe
"2007-12-10 20:00:00 C:\WINDOWS\Tasks\At118.job"
- C:\WINDOWS\system32\winmds.exe
"2007-12-10 21:00:00 C:\WINDOWS\Tasks\At119.job"
- C:\WINDOWS\system32\winmds.exe
"2007-12-10 22:00:00 C:\WINDOWS\Tasks\At120.job"
- C:\WINDOWS\system32\winmds.exe
"2007-12-11 19:17:46 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-12-01 01:00:37 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Debra Stanley.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/task:
"2006-10-27 18:23:48 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url]http://www.gmer.net[/url]
Rootkit scan 2007-12-11 20:29:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

**************************************************************************
.
Completion time: 2007-12-11 20:31:10
.
    --- E O F ---

Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:38, on 12/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://go.microsoft.com/fwlink/?LinkId=69157[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://go.microsoft.com/fwlink/?LinkId=69157[/url]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [url]http://go.microsoft.com/fwlink/?LinkId=374[/url]
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {46CB938B-FE90-49A8-977F-6A96A16577D5} - \
O2 - BHO: SpruceBHO - {54DE7259-C729-45B1-BBD8-4BE9B5BD8248} - C:\Program Files\Spruce\Spruce.dll
O2 - BHO: (no name) - {62780D18-D103-03D3-323A-01F43008B839} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - [url]http://www1.snapfish.com/SnapfishActivia.cab[/url]
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - [url]http://download.bitdefender.com/resources/scan8/oscan8.cab[/url]
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - [url]http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab[/url]
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - [url]http://upload.facebook.com/controls/FacebookPhotoUploader.cab[/url]
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - [url]http://go.divx.com/plugin/DivXBrowserPlugin.cab[/url]
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - [url]http://ax.emsisoft.com/asquared.cab[/url]
O20 - Winlogon Notify: euzhzfnc - euzhzfnc.dll (file missing)
O20 - Winlogon Notify: winayt32 - winayt32.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 7477 bytes
Edited by mike_2000_17 because: Fixed formatting
Member Avatar for crunchie

Please go to Jotti's or to virustotal and have these files scanned. Post the results back here.

C:\WINDOWS\system32\jvinicob.exe
C:\WINDOWS\system32\iltkqfvh.exe
C:\WINDOWS\system32\winmds.exe
C:\Program Files\Spruce\Spruce.dll

===============

Can you please do the following.

===============

Can you disable Windows Defender as it may interfere with the removal process. Please leave it disabled until your PC has been given the all clear.

  • Open Windows Defender
  • Click Tools
  • Click General Settings
  • Scroll down to Real Time Protection Options
  • Uncheck Turn on Real Time Protection (recommended)
  • After you uncheck this, click on the Save button
  • Close Windows Defender

===============

Scan with HijackThis and then place a check next to all the following, if present:


O2 - BHO: (no name) - {46CB938B-FE90-49A8-977F-6A96A16577D5} - \
O2 - BHO: (no name) - {62780D18-D103-03D3-323A-01F43008B839} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O20 - Winlogon Notify: euzhzfnc - euzhzfnc.dll (file missing)
O20 - Winlogon Notify: winayt32 - winayt32.dll (file missing)


Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.

Member Avatar for Yevdokiya

Jotti scan results:

Service load:
0% 100%
File: jvinicob.exe Status:
INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 7ff39899b47ebe04528ca153a5692365 Packers detected:
-
Bit9 reports: File not found
Scanner results
Scan taken on 11 Dec 2007 22:47:22 (GMT) A-Squared
Found nothing
AntiVir
Found ADSPY/Agent.74304
ArcaVir
Found Trojan.Agent.Czt
Avast
Found nothing
AVG Antivirus
Found BackDoor.Agent.PTA
BitDefender
Found Trojan.Agent.AGBD
ClamAV
Found nothing
CPsecure
Found BackDoor.W32.Agent.czu
Dr.Web
Found Trojan.EzulaAd
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found Trojan.Agent.AGBD
Kaspersky Anti-Virus
Found nothing
NOD32
Found Win32/Adware.Ezula application
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
Sophos Antivirus
Found Troj/Virtum-Gen
VirusBuster
Found nothing
VBA32
Found nothing


Service load:
0% 100%
File: iltkqfvh.exe Status:
INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 7ff39899b47ebe04528ca153a5692365 Packers detected:
-
Bit9 reports: File not found
Scanner results
Scan taken on 11 Dec 2007 22:42:34 (GMT) A-Squared
Found nothing
AntiVir
Found ADSPY/Agent.74304
ArcaVir
Found Trojan.Agent.Czt
Avast
Found nothing
AVG Antivirus
Found BackDoor.Agent.PTA
BitDefender
Found Trojan.Agent.AGBD
ClamAV
Found nothing
CPsecure
Found BackDoor.W32.Agent.czu
Dr.Web
Found Trojan.EzulaAd
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found Trojan.Agent.AGBD
Kaspersky Anti-Virus
Found nothing
NOD32
Found Win32/Adware.Ezula application
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
Sophos Antivirus
Found Troj/Virtum-Gen
VirusBuster
Found nothing
VBA32
Found nothing


Service load:
0% 100%
File: Spruce.dll Status:
OK
MD5: 96114a4ccbd81b48d74cd40e25db8f94 Packers detected:
-
Bit9 reports: File not found
Scanner results
Scan taken on 11 Dec 2007 22:54:03 (GMT) A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing


For C:\WINDOWS\System 32\winmds.exe, I get the following message from jotti:

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file.


HijackThis scan:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:14, on 12/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\HiJackThis.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=374
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpruceBHO - {54DE7259-C729-45B1-BBD8-4BE9B5BD8248} - C:\Program Files\Spruce\Spruce.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 7093 bytes

Member Avatar for Yevdokiya

pc is running much better, almost normal, and no popups for a long time.

Member Avatar for crunchie

1. Please open Notepad

  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:


File::
C:\WINDOWS\system32\jvinicob.exe
C:\WINDOWS\system32\iltkqfvh.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

[IMG]http://i5.photobucket.com/albums/y153/crunchie1/CFScript.gif[/IMG]


6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:

  • Combofix.txt
  • A new HijackThis log.

Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Member Avatar for Yevdokiya

When I re-enabled Norton AntiVirus and then ran Combofix Norton kept warning me about various scripts but I always authorized them, I guess that is normal?

ComboFix 07-12-09.1 - Debra Stanley 2007-12-13  1:25:10.7 - NTFSx86
Running from: C:\Documents and Settings\Debra Stanley\Desktop\ComboFix.exe
.

(((((((((((((((((((((((((   Files Created from 2007-11-13 to 2007-12-13  )))))))))))))))))))))))))))))))
.

2007-12-12 18:15 . 2007-12-12 18:15 <DIR>    d--------   C:\WINDOWS\LastGood
2007-12-12 00:07 . 2007-12-12 00:07 <DIR>    d--------   C:\Program Files\backups
2007-12-12 00:01 . 2007-12-12 00:01 <DIR>    d--------   C:\Program Files\VirusTotalUploader
2007-12-11 18:19 . 2007-12-11 18:19 401,720 --a------   C:\Program Files\HiJackThis.exe
2007-12-10 02:30 . 2007-12-03 05:41 102,664 --a------   C:\WINDOWS\system32\drivers\tmcomm.sys
2007-12-09 20:44 . 2007-12-10 20:45 859,184 --ahs----   C:\WINDOWS\system32\cmeqelvm.ini
2007-12-08 20:12 . 2007-12-09 20:45 834,220 --ahs----   C:\WINDOWS\system32\woxpqbev.ini
2007-12-08 20:05 . 2007-12-08 20:05 <DIR>    d--hs----   C:\WINDOWS\ftpcache
2007-12-08 20:05 . 2007-12-08 20:05 <DIR>    d--------   C:\Program Files\Free
2007-12-05 06:09 . 2007-12-05 06:20 <DIR>    d--------   C:\Program Files\Windows Live Safety Center
2007-12-04 00:57 . 2007-12-04 01:08 793,998 --ahs----   C:\WINDOWS\system32\hxlcdgvh.ini
2007-12-03 21:41 . 2007-12-03 21:53 1,374   --a------   C:\WINDOWS\imsins.BAK
2007-12-03 21:13 . 2007-08-20 11:04 6,058,496   -----c---   C:\WINDOWS\system32\dllcache\ieframe.dll
2007-12-03 21:13 . 2007-04-17 10:32 2,455,488   -----c---   C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-12-03 21:13 . 2007-03-08 06:10 991,232 -----c---   C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-12-03 21:13 . 2007-08-20 11:04 459,264 -----c---   C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-12-03 21:13 . 2007-08-20 11:04 383,488 -----c---   C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-12-03 21:13 . 2007-08-20 11:04 267,776 -----c---   C:\WINDOWS\system32\dllcache\iertutil.dll
2007-12-03 21:13 . 2007-08-20 11:04 63,488  -----c---   C:\WINDOWS\system32\dllcache\icardie.dll
2007-12-03 21:13 . 2007-08-20 11:04 52,224  -----c---   C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-12-03 21:13 . 2007-08-17 11:20 13,824  -----c---   C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-12-03 05:59 . 2007-12-03 08:24 <DIR>    d--------   C:\WINDOWS\BDOSCAN8
2007-12-03 05:41 . 2007-12-10 02:32 <DIR>    d--------   C:\Documents and Settings\Debra Stanley\.housecall6.6
2007-12-03 04:23 . 2007-12-03 04:51 23,072  --a------   C:\Documents and Settings\Debra Stanley\Application Data\info.dat
2007-12-03 02:51 . 2007-12-03 02:51 793,664 --ahs----   C:\WINDOWS\system32\nljkylid.ini
2007-12-03 02:20 . 2007-12-03 02:21 <DIR>    d--------   C:\Program Files\RogueRemover FREE
2007-12-03 02:16 . 2007-12-03 03:17 3,226   --a------   C:\WINDOWS\system32\tmp.reg
2007-12-03 02:15 . 2007-09-06 05:22 289,144 --a------   C:\WINDOWS\system32\VCCLSID.exe
2007-12-03 02:15 . 2006-04-27 22:49 288,417 --a------   C:\WINDOWS\system32\SrchSTS.exe
2007-12-03 02:15 . 2004-07-31 23:50 51,200  --a------   C:\WINDOWS\system32\dumphive.exe
2007-12-03 02:15 . 2007-10-04 05:36 25,600  --a------   C:\WINDOWS\system32\WS2Fix.exe
2007-12-02 05:22 . 2007-12-13 01:29 0   --a--c---   C:\WINDOWS\system.ini
2007-12-02 05:15 . 2007-12-02 05:15 <DIR>    d----c---   C:\Documents and Settings\All Users\Application Data\Rabio
2007-12-02 05:14 . 2007-12-02 05:18 <DIR>    d--------   C:\Program Files\Spruce
2007-12-02 04:06 . 2007-12-02 04:07 8,646,776   --a------   C:\Program Files\Windows-KB890830-V1.35.exe
2007-12-02 03:40 . 2007-12-09 23:52 143 --a------   C:\WINDOWS\system32\mcrh.tmp
2007-12-02 03:12 . 2007-12-02 03:13 <DIR>    d--------   C:\Program Files\Windows Defender
2007-12-02 03:04 . 2007-12-02 03:04 1,469,992   --a------   C:\Program Files\GenuineCheck.exe
2007-12-02 02:31 . 2007-12-03 19:55 <DIR>    d--------   C:\Program Files\Gqdzldlr
2007-12-02 02:30 . 2007-12-09 07:18 <DIR>    d--------   C:\Program Files\nurypety
2007-12-02 02:28 . 2007-12-03 08:22 <DIR>    d--------   C:\WINDOWS\system32\mm6
2007-12-02 02:28 . 2007-12-02 15:26 <DIR>    d--------   C:\WINDOWS\system32\hv2
2007-12-02 02:28 . 2007-12-02 08:04 <DIR>    d--------   C:\WINDOWS\system32\dr1
2007-12-02 02:28 . 2007-12-02 04:38 <DIR>    d--------   C:\WINDOWS\system32\daSgo02
2007-12-02 02:28 . 2007-12-02 08:04 <DIR>    d--hs----   C:\WINDOWS\RGVicmEgU3RhbmxleQ
2007-11-18 21:00 . 2007-11-18 21:00 1,156   --a------   C:\WINDOWS\mozver.dat
2007-11-17 19:40 . 2007-11-17 19:40 1,164,456   --a------   C:\Program Files\install_flash_player.exe
2007-11-16 23:25 . 2007-11-16 23:27 <DIR>    d--------   C:\Documents and Settings\Debra Stanley\Application Data\DivX
2007-11-16 23:21 . 2007-10-20 01:56 129,784 --a------   C:\WINDOWS\system32\pxafs.dll
2007-11-16 23:21 . 2007-10-20 01:56 120,056 --a------   C:\WINDOWS\system32\pxcpyi64.exe
2007-11-16 23:21 . 2007-10-20 01:56 118,520 --a------   C:\WINDOWS\system32\pxinsi64.exe
2007-11-16 23:21 . 2007-10-20 01:56 9,464   --a------   C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-11-16 23:21 . 2007-10-20 01:56 9,336   --a------   C:\WINDOWS\system32\drivers\cdr4_xp.sys

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-13 00:19    7,094   ----a-w C:\Program Files\hijackthis.log
2007-12-11 17:12    ---------   d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-12-11 17:06    ---------   d-----w C:\Program Files\Carpo
2007-12-02 02:10    5,154,304   ----a-w C:\Program Files\WindowsDefender.msi
2007-11-16 22:24    1,449   ----a-w C:\Program Files\DivX Movies.lnk
2007-11-16 22:24    ---------   d-----w C:\Program Files\DivX
2007-11-16 22:21    806 ----a-w C:\Program Files\DivX Converter.lnk
2007-11-11 20:17    ---------   d-----w C:\Program Files\Lexmark X1100 Series
2007-10-25 15:26    53,248  ----a-w C:\WINDOWS\bdoscandel.exe
2007-10-20 00:56    524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-10-20 00:56    43,528  ----a-w C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-10-20 00:56    3,596,288   ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-10-20 00:56    200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-10-20 00:56    1,044,480   ----a-w C:\WINDOWS\system32\libdivx.dll
2007-10-20 00:54    823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-10-20 00:54    823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-10-20 00:54    81,920  ----a-w C:\WINDOWS\system32\dpl100.dll
2007-10-20 00:54    802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-10-20 00:54    739,840 ----a-w C:\WINDOWS\system32\DivX.dll
2007-10-20 00:54    196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-10-18 09:06    156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-10-18 09:03    593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-10-18 09:03    57,344  ----a-w C:\WINDOWS\system32\dpv11.dll
2007-10-18 09:03    53,248  ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-10-18 09:03    344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-10-18 09:03    294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-10-18 09:03    294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-10-18 09:02    12,288  ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-10-17 21:24    ---------   d-----w C:\Documents and Settings\Debra Stanley\Application Data\Talkback
2007-07-15 14:05    59,376  ----a-w C:\Documents and Settings\Debra Stanley\Application Data\GDIPFONTCACHEV1.DAT
.

(((((((((((((((((((((((((((((   snapshot@2007-12-11_20.30.03.09   )))))))))))))))))))))))))))))))))))))))))
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54DE7259-C729-45B1-BBD8-4BE9B5BD8248}]
2007-11-29 16:28    401408  --a------   C:\Program Files\Spruce\Spruce.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 13:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 13:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 13:00]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 16:17]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 15:51]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-04 01:20]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 22:38]

S3 ne2000;Novell/Eagle NE2000 Adapter Driver;C:\WINDOWS\system32\DRIVERS\ne2000.sys

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
tapisrv REG_MULTI_SZ    Tapisrv

.
Contents of the 'Scheduled Tasks' folder
"2007-11-03 12:58:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-12 02:00:00 C:\WINDOWS\Tasks\At100.job"
- C:\WINDOWS\system32\winmds.exe
"2007-12-12 03:00:00 C:\WINDOWS\Tasks\At101.job"
- C:\WINDOWS\system32\winmds.exe
"2007-12-12 04:00:00 C:\WINDOWS\Tasks\At102.job"
- C:\WINDOWS\system32\winmds.exe
"2007-12-12 05:00:00 C:\WINDOWS\Tasks\At103.job"
- C:\WINDOWS\system32\winmds.exe
"2007-12-12 06:00:00 C:\WINDOWS\Tasks\At104.job"
- C:\WINDOWS\system32\winmds.exe
"2007-12-05 13:00:00 C:\WINDOWS\Tasks\At105.job"
- C:\WINDOWS\system32\winmds.exe
"2007-12-05 14:00:00 C:\WINDOWS\Tasks\At106.job"
- C:\WINDOWS\system32\winmds.exe
"2007-12-05 15:00:00 C:\WINDOWS\Tasks\At107.job"
- C:\WINDOWS\system32\winmds.exe
"2007-12-06 16:00:00 C:\WINDOWS\Tasks\At108.job"
- C:\WINDOWS\system32\winmds.exe
"2007-12-05 17:00:01 C:\WINDOWS\Tasks\At109.job"
- C:\WINDOWS\system32\winmds.exe
"2007-12-05 18:00:00 C:\WINDOWS\Tasks\At110.job"
- C:\WINDOWS\system32\winmds.exe
"2007-12-05 19:00:01 C:\WINDOWS\Tasks\At111.job"
- C:\WINDOWS\system32\winmds.exe
"2007-12-11 14:00:00 C:\WINDOWS\Tasks\At112.job"
- C:\WINDOWS\system32\winmds.exe
"2007-12-11 15:00:00 C:\WINDOWS\Tasks\At113.job"
- C:\WINDOWS\system32\winmds.exe
"2007-12-03 22:00:01 C:\WINDOWS\Tasks\At114.job"
- C:\WINDOWS\system32\winmds.exe
"2007-12-11 17:00:00 C:\WINDOWS\Tasks\At115.job"
- C:\WINDOWS\system32\winmds.exe
"2007-12-12 18:00:02 C:\WINDOWS\Tasks\At116.job"
- C:\WINDOWS\system32\winmds.exe
"2007-12-11 19:00:00 C:\WINDOWS\Tasks\At117.job"
- C:\WINDOWS\system32\winmds.exe
"2007-12-11 20:00:00 C:\WINDOWS\Tasks\At118.job"
- C:\WINDOWS\system32\winmds.exe
"2007-12-11 21:00:01 C:\WINDOWS\Tasks\At119.job"
- C:\WINDOWS\system32\winmds.exe
"2007-12-12 22:00:00 C:\WINDOWS\Tasks\At120.job"
- C:\WINDOWS\system32\winmds.exe
"2007-12-13 00:23:06 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-12-01 01:00:37 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Debra Stanley.job"
- C:\PROGRA~1\NORTON~1\Navw32.exe
"2006-10-27 18:23:48 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
--------------------- DLLs Loaded Under Running Processes --------------------- 

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\DOCUME~1\DEBRAS~1\LOCALS~1\Temp\wvptohdo.dll
.
**************************************************************************

catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url]http://www.gmer.net[/url]
Rootkit scan 2007-12-13 01:29:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully 
hidden files: 0 

**************************************************************************
.
Completion time: 2007-12-13  1:34:20
C:\ComboFix2.txt ... 2007-12-12 22:32
C:\ComboFix3.txt ... 2007-12-11 20:31
.
    --- E O F ---

log2:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:36, on 12/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HiJackThis.exe
C:\Program Files\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://go.microsoft.com/fwlink/?LinkId=69157[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://go.microsoft.com/fwlink/?LinkId=69157[/url]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [url]http://go.microsoft.com/fwlink/?LinkId=374[/url]
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpruceBHO - {54DE7259-C729-45B1-BBD8-4BE9B5BD8248} - C:\Program Files\Spruce\Spruce.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - [url]http://www1.snapfish.com/SnapfishActivia.cab[/url]
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - [url]http://download.bitdefender.com/resources/scan8/oscan8.cab[/url]
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - [url]http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab[/url]
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - [url]http://upload.facebook.com/controls/FacebookPhotoUploader.cab[/url]
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - [url]http://go.divx.com/plugin/DivXBrowserPlugin.cab[/url]
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - [url]http://ax.emsisoft.com/asquared.cab[/url]
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 7126 bytes
Edited by mike_2000_17 because: Fixed formatting
Member Avatar for crunchie

Can you delete this file; C:\WINDOWS\system32\winmds.exe then delete all related scheduled tasks.
I forgot to ask you to do that before :(.

Member Avatar for Yevdokiya

I just deleted winmds.ex_, sorry, what do you mean delete all related scheduled tasks?

Member Avatar for crunchie

All of the following;

Contents of the 'Scheduled Tasks' folder
"2007-11-03 12:58:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-12 02:00:00 C:\WINDOWS\Tasks\At100.job"
- C:\WINDOWS\system32\winmds.exe
"2007-12-12 03:00:00 C:\WINDOWS\Tasks\At101.job"
- C:\WINDOWS\system32\winmds.exe
"2007-12-12 04:00:00 C:\WINDOWS\Tasks\At102.job"
- C:\WINDOWS\system32\winmds.exe
"2007-12-12 05:00:00 C:\WINDOWS\Tasks\At103.job"
- C:\WINDOWS\system32\winmds.exe
"2007-12-12 06:00:00 C:\WINDOWS\Tasks\At104.job"
- C:\WINDOWS\system32\winmds.exe
"2007-12-05 13:00:00 C:\WINDOWS\Tasks\At105.job"
- C:\WINDOWS\system32\winmds.exe
"2007-12-05 14:00:00 C:\WINDOWS\Tasks\At106.job"
- C:\WINDOWS\system32\winmds.exe
"2007-12-05 15:00:00 C:\WINDOWS\Tasks\At107.job"
- C:\WINDOWS\system32\winmds.exe
"2007-12-06 16:00:00 C:\WINDOWS\Tasks\At108.job"
- C:\WINDOWS\system32\winmds.exe
"2007-12-05 17:00:01 C:\WINDOWS\Tasks\At109.job"
- C:\WINDOWS\system32\winmds.exe
"2007-12-05 18:00:00 C:\WINDOWS\Tasks\At110.job"
- C:\WINDOWS\system32\winmds.exe
"2007-12-05 19:00:01 C:\WINDOWS\Tasks\At111.job"
- C:\WINDOWS\system32\winmds.exe
"2007-12-11 14:00:00 C:\WINDOWS\Tasks\At112.job"
- C:\WINDOWS\system32\winmds.exe
"2007-12-11 15:00:00 C:\WINDOWS\Tasks\At113.job"
- C:\WINDOWS\system32\winmds.exe
"2007-12-03 22:00:01 C:\WINDOWS\Tasks\At114.job"
- C:\WINDOWS\system32\winmds.exe
"2007-12-11 17:00:00 C:\WINDOWS\Tasks\At115.job"
- C:\WINDOWS\system32\winmds.exe
"2007-12-12 18:00:02 C:\WINDOWS\Tasks\At116.job"
- C:\WINDOWS\system32\winmds.exe
"2007-12-11 19:00:00 C:\WINDOWS\Tasks\At117.job"
- C:\WINDOWS\system32\winmds.exe
"2007-12-11 20:00:00 C:\WINDOWS\Tasks\At118.job"
- C:\WINDOWS\system32\winmds.exe
"2007-12-11 21:00:01 C:\WINDOWS\Tasks\At119.job"
- C:\WINDOWS\system32\winmds.exe
"2007-12-12 22:00:00 C:\WINDOWS\Tasks\At120.job"
- C:\WINDOWS\system32\winmds.exe

Member Avatar for Yevdokiya

Thanks! I just did that. What's next?

Member Avatar for crunchie

All looks good on this side of your monitor. How's things your side?

Member Avatar for Yevdokiya

Well, my computer seems to be running fine and I haven't gotten any popups since we started this process, but now I can't open Internet Explorer. I've been using Firefox. I get this error:

AppName: iexplore.exe AppVer: 7.0.6000.16574 ModName: normaliz.dll
ModVer: 6.0.5441.0 Offset: 00004c25

Member Avatar for crunchie

Try uninstalling it then installing again.

Member Avatar for Yevdokiya

Well, after restarting my computer the problem simply disappeared. Windows Explorer works fine, computer running fine, and no popups! Whoopee!!

Unless there's anything else you can think of, I believe this is solved! Thank you SO much for the time you volunteered to help me out!! Happy holidays!

Member Avatar for crunchie

Excellent. Glad to here all is ok. You are welcome and Merry Christmas :)

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.