[Spyware] ntdll64 - dslreports.com

TheJoker Premium,VIP,MVM join:2001-04-26 Alexandria, VA	reply to flighty Re: [Spyware] ntdll64 Since you have decided to reformat and reinstall, if you have a backup program, you should backup your data before starting the new Windows installation. You don't need to backup program files, just backup your data. The programs can be reinstalled later. I would save your data to CD/DVD or an external device such as an external USB drive. When you install, since you will be installing from scratch, you need to be certain you delete the previous installation rather than do a Repair installation. There is an excellent set of instructions at the below link complete with screenshots of what to expect at each step. http://www.michaelstevenstech.com/cleanxpinstall.html#steps You should print out those instructions before proceeding. Have the installation discs or a saved install file handy for your antivirus and firewall. Disconnect from the Internet before proceeding with the installation (pull your connection cable). When you get to step 10b, choose to delete the partition by pressing "D". You will then be prompted to create a new partition in the empty space. This will remove all data from the deleted space. After you reinstall Windows: - Install your Antivirus. - Install your Firewall. - Reconnect to the Internet. - Update your AntiVirus. - Go to Windows Update and install SP3 and ALL critical updates. - After that, please post a new HijackThis log. -- Proud ASAP member since 2005
	to forum · permalink · · 2009-05-22 18:31:54 ·
flighty Premium join:2009-05-14 Portland, OR	reply to flighty Joker none of this is workig for me- thanks for the help but I am going to format and reinstall. Later Flighty
	to forum · permalink · · 2009-05-21 13:21:09 ·
TheJoker Premium,VIP,MVM join:2001-04-26 Alexandria, VA	reply to flighty One option is to create a bootable CD with Bart's PE Builder (BartPE). You could then boot from the BartPE disc and copy the file to your System32 folder. To build a BartPE disc, go to »www.nu2.nu/pebuilder/ There are complete instructions there on downloading the latest PE Builder version (self-installing package) and installing it, building the disc, and burning it to CD. You will need to do this from a working system. After burning the disc, you would simply boot from the BartPE disc (you may need to change the boot order in your system BIOS setup), and copy the empty file vedilune.dll that you created to the System32 folder, reboot the system, and see if you can login. -- Proud ASAP member since 2005
	to forum · permalink · · 2009-05-19 18:39:00 ·
flighty Premium join:2009-05-14 Portland, OR	reply to TheJoker Joker, I burned the blank file into a cd and then arrived at the recovery console without problems. I have a second CD slot but in neither could the file be found to copy. loaded into either and querying with DIR, nothing found on the disc. used a text doc as requested. Man this one is malicious! some error I made perhaps? flighty
	to forum · permalink · · 2009-05-18 23:33:26 ·
TheJoker Premium,VIP,MVM join:2001-04-26 Alexandria, VA 1 edit	reply to flighty Lets try something. Do you have a flopy drive? If not, you will need to burn a file to CD instead. On the Desktop, right-click, select New > Text Document. This will create the file New Text Document.txt on the Desktop. Rename it to vedilune.dll. Copy the file to a floppy, or if you don't have a floppy drive, burn it to CD. Insert your Windows XP CD (Windows XP with Service Pack 3 is preferred, but not required) and reboot the computer. - You may need to configure your computer BIOS to boot from the CD-ROM drive. - When the Windows XP Setup has started, press "R" to "repair the Windows XP installation using Recovery Console". - Select the Windows installation to repair (generally this is C:\Windows) by typing its number and then pressing ENTER. - Type the Administrator password and press ENTER. - Type the following command: COPY A:\vedilune.dll C:\WINDOWS\SYSTEM32 [ENTER] NOTE: If you don't have a floppy and use a CD-ROM drive which has a different drive letter assigned to it, enter the appropriate drive letter instead of A. After entering "COPY A:\vedilune.dll C:\ WINDOWS\SYSTEM32" you should see the text "1 file(s) copied", in which case all went well. - Remove the floppy or Windows XP CD, type "EXIT" and press ENTER to restart your computer. Can you now log on normally? -- Proud ASAP member since 2005
	to forum · permalink · · 2009-05-18 05:59:35 ·
flighty Premium join:2009-05-14 Portland, OR	reply to flighty Joker No, even safe mode is flipping to log off right after logging on. I have even tried boot form disc and reinstalling from my windows disc. I am starting to think i need to wipe my hard drive... flighty
	to forum · permalink · · 2009-05-17 23:23:59 ·
TheJoker Premium,VIP,MVM join:2001-04-26 Alexandria, VA	reply to flighty Can you boot to Safe mode successfully? -- Proud ASAP member since 2005
	to forum · permalink · · 2009-05-17 22:08:57 ·
flighty Premium join:2009-05-14 Portland, OR	reply to flighty Joker I made as far as the kaspersky antivirus program step but could not comlplete it. After deleting the files as resquested, my computer logs off direct from the logon page. I even triedd to boot from disc and no joy. suggestions? flighty
	to forum · permalink · · 2009-05-17 19:17:59 ·
TheJoker Premium,VIP,MVM join:2001-04-26 Alexandria, VA	reply to flighty Are you not running an antivirus, or is it being prevented from running? I suggest printing out each set of instructions and reading the entire post before proceeding. It will make following them easier. You will also need the printed copy as you will be in Safe mode for several instructions. Please follow the directions in the order listed (Important). Reboot to Safe Mode - Restart your computer and begin tapping the F8 key on your keyboard. If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter. To return to normal mode just restart your computer as you normally would. Press Control-Alt-Del to enter the Task Manager. Click on the Processes tab and end the following processes if found: C:\WINDOWS\system32\init32.exe C:\WINDOWS\system32\SYS32DLL.exe Exit the Task Manager when finished. Using Windows Explorer, delete the following files: C:\WINDOWS\system32\init32.exe C:\WINDOWS\system32\SYS32DLL.exe C:\Windows\fmark2.dat Also delete the following folders if found: C:\Windows\Program Files\TinyProxy folder C:\Windows\Program Files\ProtectService also in the Windows folder delete any .exe files starting with kenny in the file name: C:\Windows\*kenny.exe Restart your system. Go to Start -> Settings -> Control Panel -> Internet Options -> Connections Tab -> Lan Settings -> uncheck "use a proxy server" or reconfigure the Proxy server if you have set it previously. If you use FireFox, do the same thing: Go to Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection. Now you need to run HijackThis and click "Do a system scan only." Place a check next to the following entries (if they are still there): O4 - HKCU\..\Run: [SYS32DLL] SYS32DLL O4 - HKUS\S-1-5-18\..\Run: [SYS32DLL] SYS32DLL (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [SYS32DLL] SYS32DLL (User 'Default user') O20 - AppInit_DLLs: C:\WINDOWS\system32\vedilune.dll Now close all browser and other windows except for HijackThis, and click "Fix Checked" to have HijackThis fix the entries you checked. Using Windows Explorer, locate the following files, and delete them (if found): C:\WINDOWS\system32\vedilune.dll C:\WINDOWS\system32\init32.exe C:\WINDOWS\system32\SYS32DLL.exe Download the latest version of Kaspersky Virus Removal Tool ftp://downloads2.kaspersky-labs.com/devbuilds/AVPTool/index.html - Disconnect from the Internet (pull your connection cable). - Reboot to Safe mode. - Close all other applications and double-click and run the installer. - When AVPTool starts, select all the scanable items except for CD-ROM drives and click the Scan button. - If malware is detected, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active). - After the scan finishes, if any threat remains in the Scan window (Red exclamation point), click the Neutralize all button - In the window that opens, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active). - If advised that a special disinfection procedure is required which demands system reboot: click the Ok button to close the window. - In the Scan window click the Reports button and select Save to file. - Name the report AVPT.txt, and save it to the Desktop. - Close AVPTool. - You will be prompted if you want to uninstall the program; click Yes. - You will then be prompted that to complete the uninstallation, the computer must be restarted. Select Yes to restart the system. - After the system restarts, reconnect to the Internet - Copy and paste the first part of the report (Detected) that you saved in your next reply. Do not include the longer list marked Events. Download ComboFix© by sUBs** from one of these locations: http://download.bleepingcomputer.com/sUBs/ComboFix.exe http://www.forospyware.com/sUBs/ComboFix.exe http://subs.geekstogo.com/ComboFix.exe * IMPORTANT !!! Save ComboFix.exe to your Desktop Familiarize yourself with ComboFix before running it: »www.bleepingcomputer.com/combofi···combofix - Disable your AntiVirus and any AntiSpyware programs you may be running (usually via a right click on the System Tray icon) to prevent them from interfering. - Double click on ComboFix.exe & follow the prompts. - As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. - Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. When finished, it will save a log. Please include the contents of the log at C:\ComboFix.txt in your next reply. Download Security Check by screen317 and save it to your Desktop: http://screen317.spywareinfoforum.org/SecurityCheck.zip http://screen317.changelog.fr/SecurityCheck.zip - Unzip SecurityCheck.zip and a folder named Security Check should appear. Open the Security Check folder and double-click Security Check.bat Follow the onscreen instructions inside of the black box. - A Notepad document should open automatically called checkup.txt**; please post the contents of that document. Please post a new HijackThis log, the log from MBAM, the contents of the log from Security Check (checkup.txt), and in a second reply the requested portion of the log from Kaspersky Virus Removal Tool, the contents of ComboFix (combofix.txt), and note any errors encountered. -- Proud ASAP member since 2005
	to forum · permalink · · 2009-05-17 09:58:42 ·
flighty Premium join:2009-05-14 Portland, OR	reply to flighty Joker thanks for the help. i have had to run malwarebytes in safe mode to get best effects. ran it 3 times. I am still not running well in any regard, but better a bit. Malware logs #1 Malwarebytes' Anti-Malware 1.36 Database version: 1945 Windows 5.1.2600 Service Pack 3 5/15/2009 1:08:17 PM mbam-log-2009-05-15 (13-08-17).txt Scan type: Quick Scan Objects scanned: 66522 Time elapsed: 2 minute(s), 53 second(s) Memory Processes Infected: 2 Memory Modules Infected: 3 Registry Keys Infected: 10 Registry Values Infected: 8 Registry Data Items Infected: 14 Folders Infected: 0 Files Infected: 14 Memory Processes Infected: C:\WINDOWS\ld08.exe (Trojan.KoobFace) -> Unloaded process successfully. C:\WINDOWS\pp07.exe (Trojan.KoobFace) -> Unloaded process successfully. Memory Modules Infected: C:\WINDOWS\system32\jaweruwu.dll (Trojan.Vundo.H) -> Delete on reboot. c:\WINDOWS\system32\begimepo.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\Temp\ntdll64.dll (Trojan.FakeAlert) -> Delete on reboot. Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d96cc8ec-4186-4803-8d04-b8d78b656ded} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{d96cc8ec-4186-4803-8d04-b8d78b656ded} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot. HKEY_CLASSES_ROOT\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{e63648f7-3933-440e-b4f6-a8584dd7b7eb} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{e7f15ac4-e0a9-43f0-921b-70dfea621220} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e7f15ac4-e0a9-43f0-921b-70dfea621220} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\782676e1 (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\joyukekuga (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm7b15457d (Trojan.Vundo.H) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pp (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysldtray (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Framework Windows (Trojan.FakeAlert) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\begimepo.dll -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.61,85.255.112.97 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b878a1e6-7813-4c26-a17a-0833bec8fc3c}\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.61,85.255.112.97 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.61,85.255.112.97 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b878a1e6-7813-4c26-a17a-0833bec8fc3c}\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.61,85.255.112.97 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.61,85.255.112.97 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{b878a1e6-7813-4c26-a17a-0833bec8fc3c}\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.61,85.255.112.97 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.61,85.255.112.97 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{b878a1e6-7813-4c26-a17a-0833bec8fc3c}\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.61,85.255.112.97 -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\jaweruwu.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\uwurewaj.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. c:\WINDOWS\system32\begimepo.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\796525\796525.dll (Trojan.BHO) -> Quarantined and deleted successfully. C:\WINDOWS\t55ft3188f44.dat (Trojan.KoobFace) -> Quarantined and deleted successfully. C:\WINDOWS\t55ft3189f44.dat (Trojan.KoobFace) -> Quarantined and deleted successfully. C:\WINDOWS\pp07.exe (Backdoor.Bot) -> Quarantined and deleted successfully. C:\WINDOWS\system32\gaopdxcounter (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Mark Jardini\Local Settings\Temp\mousehook.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\ld08.exe (Backdoor.Bot) -> Quarantined and deleted successfully. C:\Documents and Settings\Mark Jardini\Local Settings\Temp\ntdll64.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\Temp\ntdll64.dll (Trojan.FakeAlert) -> Delete on reboot. C:\WINDOWS\system32\win32hlp.cnf (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\pp06.exe (Trojan.KoobFace) -> Quarantined and deleted successfully. #2 Malwarebytes' Anti-Malware 1.36 Database version: 1945 Windows 5.1.2600 Service Pack 3 5/15/2009 6:19:11 PM mbam-log-2009-05-15 (18-19-11).txt Scan type: Quick Scan Objects scanned: 65054 Time elapsed: 6 minute(s), 54 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\gaopdxcounter (Trojan.Agent) -> Quarantined and deleted successfully. #3 Malwarebytes' Anti-Malware 1.36 Database version: 1945 Windows 5.1.2600 Service Pack 3 5/16/2009 7:11:58 PM mbam-log-2009-05-16 (19-11-58).txt Scan type: Quick Scan Objects scanned: 65111 Time elapsed: 6 minute(s), 24 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\gaopdxcounter (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\win32hlp.cnf (Trojan.Agent) -> Quarantined and deleted successfully. this is the last HJT log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:13:37 PM, on 5/16/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16791) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Google\Update\GoogleUpdate.exe C:\Program Files\Google\Update\GoogleUpdate.exe C:\WINDOWS\system32\init32.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Google\Update\GoogleUpdate.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe C:\Program Files\Google\Update\GoogleUpdate.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\WINDOWS\system32\SYS32DLL.exe C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\palmOne\HOTSYNC.EXE C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE C:\Documents and Settings\Mark Jardini\Desktop\HiJackThis.exe C:\WINDOWS\system32\svchost.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = »go.microsoft.com/fwlink/?LinkId=54843 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local; O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [SYS32DLL] SYS32DLL O4 - HKUS\S-1-5-18\..\Run: [SYS32DLL] SYS32DLL (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [SYS32DLL] SYS32DLL (User 'Default user') O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll O20 - AppInit_DLLs: C:\WINDOWS\system32\vedilune.dll O23 - Service: Google Update Service (gupdate1c99c4fd58fda36) (gupdate1c99c4fd58fda36) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe O23 - Service: Intel NCS NetService (NetSvc) - Unknown owner - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe (file missing) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe -- End of file - 7598 bytes Next steps? flighty
	to forum · permalink · · 2009-05-16 22:38:58 ·
TheJoker Premium,VIP,MVM join:2001-04-26 Alexandria, VA	reply to flighty Hi flighty You didn't mention what your operating system is. One way would be to have someone with a clean, uninfected system download some utilities for you, burn them to CD (don't use a USB/flash drive) and transfer the files to your Desktop. HijackThis http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php?page=download Malwarebytes' Anti-Malware http://www.malwarebytes.org/mbam-download.php LSPfix http://www.downloads.subratam.org/lspfix.zip Do NOT run LSPfix yet, I just want to get it onto the CD so you have it available if you need to use it. Malwarebytes' Anti-Malware Double Click mbam-setup.exe to install the application. - Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. - If an update is found, it will download and install the latest version. - Once the program has loaded, select "Perform Quick Scan", then click Scan. - If the program will not load, go to C:\Program Files\Malwarebytes' Anti-Malware and rename mbam.exe to renamed.exe and double-click the file to start the program. - The scan may take some time to finish,so please be patient. - When the scan is complete, click OK, then Show Results to view the results. - Make sure that everything is checked, and click Remove Selected. - When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note) - The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. - Copy & Paste the entire report in your next reply along with a fresh HijackThis log. Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Now run HijackThis and scan and save a log. If HijackThis won't run, rename hijackthis.exe to analyze.exe and try to run it. Please post the log from HijackThis, the log from MBAM, and note any errors encountered. -- Proud ASAP member since 2005
	to forum · permalink · · 2009-05-15 06:17:17 ·
flighty Premium join:2009-05-14 Portland, OR	hi I am running xp and picked this up. Internet Explorer is down and Firefox barely running. I tried to follow initial instructions and download security programs recommended but cannot get to the sites. I tired to run host expert as recommended but did not fix much that I could notice. Can you help me get to a place where I can download some helpful software? flighty
	to forum · permalink · · 2009-05-15 00:24:07 ·


Saturday, 28-Nov 07:30:08	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 10 years online! © 1999-2009 dslreports.com. republican-creole page compression OFF