Forum Home
Press F1
Thread ID: 90792	2008-06-16 10:48:00	rundll32.exe and userinit.exe errors	scottyc130 (13874)	Press F1

Post ID	Timestamp	Content	User
678942	2008-06-16 10:48:00	I am having issues when logging onto Windows . Following the password screen I am faced with rundll32 . exe - application error (0cx0000005), normally has to be acknowldeged twice, followed by a userinit . exe - application error . The only was I can then get the desktop to appear is to start windows explorer through the new task option of the task manager . My live protection on the antivirus is picking up several trojans etc when connected to the internet and I have had several things to get rid of (none of which meant very much to me) through ad-aware scans . I initially thought I had registry issues as the computer was running very slow following uninstallation of several programs and so I tried a couple of registry cleaners, all of which found many errors but whch have not rectified the problem . Last try was on CCCleaner which removed a heap more and then I ran Hijackthis which has given the following results . Any help would be appreciated . Logfile of Trend Micro HijackThis v2 . 0 . 2 Scan saved at 9:40:49 p . m . , on 16/06/2008 Platform: Windows XP SP2 (WinNT 5 . 01 . 2600) MSIE: Internet Explorer v7 . 00 (7 . 00 . 6000 . 16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss . exe C:\WINDOWS\system32\winlogon . exe C:\WINDOWS\system32\services . exe C:\WINDOWS\system32\lsass . exe C:\WINDOWS\system32\svchost . exe C:\Program Files\Windows Defender\MsMpEng . exe C:\WINDOWS\System32\svchost . exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr . exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr . exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc . exe C:\Program Files\Lavasoft\Ad-Aware\aawservice . exe C:\WINDOWS\system32\spoolsv . exe C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv . exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService . exe C:\Program Files\Bonjour\mDNSResponder . exe C:\Program Files\Symantec AntiVirus\DefWatch . exe C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer . exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM . EXE C:\WINDOWS\system32\StacSV . exe C:\Program Files\Citrix\ICA Client\ssonsvr . exe C:\WINDOWS\system32\svchost . exe C:\Program Files\Symantec AntiVirus\Rtvscan . exe C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer . exe C:\WINDOWS\explorer . exe C:\Program Files\Common Files\Symantec Shared\ccApp . exe C:\PROGRA~1\SYMANT~1\VPTray . exe C:\Program Files\Apoint\Apoint . exe C:\WINDOWS\system32\igfxtray . exe C:\WINDOWS\system32\hkcmd . exe C:\WINDOWS\system32\igfxpers . exe C:\WINDOWS\system32\igfxsrvc . exe C:\WINDOWS\stsystra . exe C:\Program Files\Apoint\ApMsgFwd . exe C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv . exe C:\Program Files\Apoint\Apntex . exe C:\Program Files\Apoint\HidFind . exe C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc . exe C:\Program Files\Windows Defender\MSASCui . exe C:\Program Files\Java\jre1 . 6 . 0_05\bin\jusched . exe C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper . exe C:\Program Files\Logitech\QuickCam\Quickcam . exe C:\WINDOWS\system32\ctfmon . exe C:\Program Files\Google\GoogleToolbarNotifier\1 . 2 . 1128 . 5462\G oogleToolbarNotifier . exe C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager . exe C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware . exe C:\Program Files\Trend Micro\HijackThis\HijackThis . exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www . nzherald . co . nz/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = . microsoft . com/fwlink/?LinkId=69157" target="_blank">go . microsoft . com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = . microsoft . com/fwlink/?LinkId=54896" target="_blank">go . microsoft . com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = . microsoft . com/fwlink/?LinkId=54896" target="_blank">go . microsoft . com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = . microsoft . com/fwlink/?LinkId=69157" target="_blank">go . microsoft . com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = * . local R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\ Yahoo! \Companion\Installs\cpn\yt . dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\ Yahoo! \Companion\Installs\cpn\yt . dll O2 - BHO: banneradsgalore browser optimizer - {03abe7b4-0049-5a2d-e6a0-148abd8cd676} - C:\WINDOWS\system32\{dc377b96-97a3-69cd-5553-1016a66019a4} . dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7 . 0\ActiveX\AcroIEHelper . dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1 . 6 . 0_05\bin\ssv . dll O2 - BHO: BeSideit IE Helper - {83C35173-E029-42f1-9692-0341EE379A0D} - C:\Program Files\QdrDrive\QdrDrive16 . dll O2 - BHO: (no name) - {92D633A8-5165-4C96-951A-B94185A20A22} - C:\WINDOWS\system32\geBtSMfd . dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1 . dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1 . dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband . dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\ Yahoo! \Companion\Installs\cpn\yt . dll O4 - HKLM\ . . \Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp . exe O4 - HKLM\ . . \Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp . exe" O4 - HKLM\ . . \Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray . exe O4 - HKLM\ . . \Run: [Apoint] C:\Program Files\Apoint\Apoint . exe O4 - HKLM\ . . \Run: [IgfxTray] C:\WINDOWS\system32\igfxtray . exe O4 - HKLM\ . . \Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd . exe O4 - HKLM\ . . \Run: [Persistence] C:\WINDOWS\system32\igfxpers . exe O4 - HKLM\ . . \Run: [SigmatelSysTrayApp] stsystra . exe O4 - HKLM\ . . \Run: [Update Background] C:\WINDOWS\system32\Updatebg . vbs O4 - HKLM\ . . \Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv . exe" O4 - HKLM\ . . \Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc . exe" O4 - HKLM\ . . \Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui . exe" -hide O4 - HKLM\ . . \Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1 . 6 . 0_05\bin\jusched . exe" O4 - HKLM\ . . \Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN . EXE /logon O4 - HKLM\ . . \Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper . exe" O4 - HKLM\ . . \Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam . exe" /hide O4 - HKLM\ . . \Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask . exe" -atboottime O4 - HKLM\ . . \Run: [88467395] rundll32 . exe "C:\WINDOWS\system32\jqamticp . dll",b O4 - HKLM\ . . \Run: [BM8b754009] Rundll32 . exe "C:\WINDOWS\system32\rlexjrct . dll",s O4 - HKLM\ . . \Run: [{c903b18a-1ac0-bf49-2ff4-8cc7e7d291e3}] C:\WINDOWS\System32\Rundll32 . exe "C:\WINDOWS\system32\{dc377b96-97a3-69cd-5553-1016a66019a4} . dll" DllStart O4 - HKCU\ . . \Run: [CTFMON . EXE] C:\WINDOWS\system32\ctfmon . exe O4 - HKCU\ . . \Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1 . 2 . 1128 . 5462\G oogleToolbarNotifier . exe O4 - HKUS\S-1-5-19\ . . \Run: [CTFMON . EXE] C:\WINDOWS\system32\CTFMON . EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\ . . \Run: [CTFMON . EXE] C:\WINDOWS\system32\CTFMON . EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\ . . \Run: [CTFMON . EXE] C:\WINDOWS\system32\CTFMON . EXE (User 'SYSTEM') O4 - HKUS\ . DEFAULT\ . . \Run: [CTFMON . EXE] C:\WINDOWS\system32\CTFMON . EXE (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL . EXE/3000 O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource . dll/RC_AddToList . html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource . dll/RC_HSPrint . html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource . dll/RC_Preview . html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource . dll/RC_Print . html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1 . 6 . 0_05\bin\ssv . dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1 . 6 . 0_05\bin\ssv . dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR . DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag . exe O9 - Extra 'Tools' menuitem: @xpsp3res . dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag . exe O9 - Extra button: @C:\Program Files\Messenger\Msgslang . dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs . exe O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang . dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs . exe O16 - DPF: {0002E520-0000-0000-C000-000000000046} (InstPivot) - . cab" target="_blank">sporcorpdevweb1 O16 - DPF: {00C7C2A0-8B82-11D1-8B57-00A0C98CD92B} (ActiveReports Viewer) - . cab" target="_blank">akwebair O16 - DPF: {0D6236AB-DBA2-11D1-B5DF-0060976089D0} (ComponentOne XArrayDB Object) - . cab" target="_blank">sporcorpdevweb1 O16 - DPF: {0ECD9B64-23AA-11D0-B351-00A0C9055D8E} (Microsoft Hierarchical FlexGrid Control6 . 0 (SP4) (OLEDB)) - . cab" target="_blank">sporcorpdevweb1 O16 - DPF: {1B476D45-C310-48F6-9BDD-A5072048CF5F} (MIT Word 2000 Step by Step Interactive) - . cab" target="_blank">mit O16 - DPF: {1D3B54A8-C3A0-4E79-AF6E-667042CD7C58} (Microsoft Windows XP Pro Step by Step Interactive) - . cab" target="_blank">mit O16 - DPF: {20DD1B9E-87C4-11D1-8BE3-0000F8754DA1} (Microsoft Date and Time Picker Control 6 . 0 (SP4)) - . cab" target="_blank">eporwebapp1 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\ Yahoo! \Common\yinsthelper . dll O16 - DPF: {34C6D274-3B98-11D4-8C00-00104B1C8A13} (WebeMail . eMail) - . CAB" target="_blank">swhesql1 O16 - DPF: {3A2B370C-BA0A-11D1-B137-0000F8753F5D} (Microsoft Chart Control 6 . 0 (SP4) (OLEDB)) - . cab" target="_blank">sporcorpdevweb1 O16 - DPF: {5CE71396-91B6-4779-A79B-D80A21DC31B1} (Microsoft Excel 2002 Step by Step Interactive) - . cab" target="_blank">mit O16 - DPF: {6262D3A0-531B-11CF-91F6-C2863C385E30} (Microsoft FlexGrid Control, version 6 . 0) - . cab" target="_blank">sporcorpdevweb1 O16 - DPF: {6962BD5E-B965-492B-9A86-707FE13D5E62} (MIT Office 2000 Step by Step Interactive) - . cab" target="_blank">mit O16 - DPF: {9101884B-6928-42AC-9452-5B8A4A942085} (MIT Outlook 2000 Step by Step Interactive) - . cab" target="_blank">mit O16 - DPF: {98B65D65-50B4-11D3-9441-54AC0EC10000} (ctSchedule Control 4 . 0) - . ocx" target="_blank">sporcorpdevweb1 O16 - DPF: {AA588AFE-1622-47BE-AA06-541E02DFA4D5} (MIT Access 2000 Step by Step Interactive) - . cab" target="_blank">mit O16 - DPF: {BDC217C5-ED16-11CD-956C-0000C04E4C0A} (Microsoft Tabbed Dialog Control 6 . 0 (SP4)) - . cab" target="_blank">sporcorpdevweb1 O16 - DPF: {BDD1F04B-858B-11D1-B16A-00C0F0283628} (Microsoft ListView Control 6 . 0 (SP6)) - . cab" target="_blank">sporcorpdevweb1 O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - . cab" target="_blank">streweb1 O16 - DPF: {C74190B6-8589-11D1-B16A-00C0F0283628} (Microsoft TreeView Control 6 . 0 (SP6)) - . cab" target="_blank">eporwebapp1 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - . macromedia . com/get/shockwave/cabs/flash/swflash . cab" target="_blank">fpdownload2 . macromedia . com O16 - DPF: {D491FB72-AC78-11D5-B233-00B0D020136A} (ArrivalDate . DateArrival) - . CAB" target="_blank">swhesql1 O16 - DPF: {DEF7CADC-83C0-11D0-A0F1-00A024703500} (True OLE DBGrid 7 Control) - . cab" target="_blank">sporcorpdevweb1 O16 - DPF: {E99D3E39-5D92-4360-BA86-2C563B3CFFEB} (Microsoft CMS HTML Editor Toolbar) - . airforce . dixs . mil . nz/CMS/WebAuthor/Client/PlaceholderControlSupport/nrdhtml . cab" target="_blank">www . airforce . dixs . mil . nz O16 - DPF: {F4658983-D500-4B3A-A437-01D6028AD922} (MIT Excel 2000 Step by Step Interactive) - . cab" target="_blank">mit O16 - DPF: {F5131C24-E56D-11CF-B78A-444553540000} (Ikonic Menu Control) - . cab" target="_blank">sporatlweb O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 6 . 0) - . cab" target="_blank">sporcorpdevweb1 O16 - DPF: {FDE14979-D821-4CD8-BE1C-9D6AF01D097F} (VMTOCCtrl Class) - . cab" target="_blank">dcsbhost O17 - HKLM\System\CCS\Services\Tcpip\ . . \{A0F4B9FF-14F7-4750-BA3A-D0017EFF380D}: NameServer = 10 . 0 . 1 . 1 O20 - AppInit_DLLs: C:\WINDOWS\system32\__c009D039 . dat O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice . exe O23 - Service: Apple Mobile Device - Apple, Inc . - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService . exe O23 - Service: Bonjour Service - Apple Inc . - C:\Program Files\Bonjour\mDNSResponder . exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr . exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr . exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch . exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService . exe O23 - Service: iPod Service - Apple Inc . - C:\Program Files\iPod\bin\iPodService . exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1 . EXE O23 - Service: LVCOMSer - Logitech Inc . - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer . exe O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc . - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv . exe O23 - Service: LVSrvLauncher - Logitech Inc . - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch . exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam . exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc . exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc . exe O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc . - C:\WINDOWS\system32\StacSV . exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan . exe -- End of file - 14391 bytes	scottyc130 (13874)
678943	2008-06-16 11:00:00	You may have a Vundo / virtumonde infection Run HJT again tick these then tick fix checked Close browsers Disable system restore O2 - BHO: banneradsgalore browser optimizer - {03abe7b4-0049-5a2d-e6a0-148abd8cd676} - C:\WINDOWS\system32\{dc377b96-97a3-69cd-5553-1016a66019a4} . dll See if Internet speed monitor is in add/remove programs if it is uninstall it After you uninstall it if its there delete the folder below in program files . O2 - BHO: BeSideit IE Helper - {83C35173-E029-42f1-9692-0341EE379A0D} - C:\Program Files\QdrDrive\QdrDrive16 . dll <- O2 - BHO: BeSideit IE Helper - {83C35173-E029-42f1-9692-0341EE379A0D} - C:\Program Files\QdrDrive\QdrDrive16 . dll <- O2 - BHO: (no name) - {92D633A8-5165-4C96-951A-B94185A20A22} - C:\WINDOWS\system32\geBtSMfd . dll <-- O4 - HKLM\ . . \Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp . exe I dont know what this is, but it doesnt look good O4 - HKLM\ . . \Run: [Update Background] C:\WINDOWS\system32\Updatebg . vbs O4 - HKLM\ . . \Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1 . 6 . 0_05\bin\jusched . exe" O4 - HKLM\ . . \Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask . exe" -atboottime Delete these 3 files after O4 - HKLM\ . . \Run: [88467395] rundll32 . exe "C:\WINDOWS\system32\jqamticp . dll",b <-- O4 - HKLM\ . . \Run: [BM8b754009] Rundll32 . exe "C:\WINDOWS\system32\rlexjrct . dll",s <-- O4 - HKLM\ . . \Run: [{c903b18a-1ac0-bf49-2ff4-8cc7e7d291e3}] C:\WINDOWS\System32\Rundll32 . exe "C:\WINDOWS\system32\{dc377b96-97a3-69cd-5553-1016a66019a4} . dll <--" DllStart O20 - AppInit_DLLs: C:\WINDOWS\system32\__c009D039 . dat Then reboot Then install something better than Symantec, (Avast Home/NOD32), get trojan remover and rogueremover in my sig, update both Then click on scan . Then select all options under utilities in trojan remover . Run my computer, highlight c / right mouse / scan with trojan remover . Scan the whole hdd Uninstall all versions of java, yours is out of date . link is in my sig .	Speedy Gonzales (78)
678944	2008-06-17 11:58:00	Thanks very much for the help . You were right it is a Virtumonde trojan . I have had a few issues with getting a working version of the trojan remover downloaded and it is scanning at present . I have also got spybot running which looks like it may have done half a job of removing it, hopefully that will not interfere with the manual deletions I have carriedout as per the last thread . I did have the internet speed test sitting in there as well which is also deleted now . Looks like the TR scan will take a while but I will get back to you once it is complete . At the moment the Spybot Resident is refreshing every second with notification that something keeps trying to change BM8b754009 in the System Startup Global Entry, which I had blocked, so obviuosly it is still there . Thanks again for the assistance, as you may have picked up, I need it!	scottyc130 (13874)
678945	2008-06-17 12:24:00	No worries, try this (www.malwarebytes.org) as well. Its free. Install, then update it, then click on scan. See if it picks anything else up	Speedy Gonzales (78)
678946	2008-06-18 08:43:00	Thanks you for that, the Malwarebytes one also picked up a couple more issues in addition to the raft of them that Trojan Remover found . The last scan came back clear although I did just have the computer shut down for no apparent reason with a critical hardware error, which disappeared before I could read it . Hate to be a pain, but would it be possible to look at the latest Hijackthis file and see if you can see anything out of the ordinary left on it? Logfile of Trend Micro HijackThis v2 . 0 . 2 Scan saved at 7:50:46 p . m . , on 18/06/2008 Platform: Windows XP SP2 (WinNT 5 . 01 . 2600) MSIE: Internet Explorer v7 . 00 (7 . 00 . 6000 . 16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss . exe C:\WINDOWS\system32\winlogon . exe C:\WINDOWS\system32\services . exe C:\WINDOWS\system32\lsass . exe C:\WINDOWS\system32\svchost . exe C:\Program Files\Windows Defender\MsMpEng . exe C:\WINDOWS\System32\svchost . exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr . exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr . exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc . exe C:\WINDOWS\system32\spoolsv . exe C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv . exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService . exe C:\Program Files\Bonjour\mDNSResponder . exe C:\Program Files\Symantec AntiVirus\DefWatch . exe C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer . exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM . EXE C:\WINDOWS\system32\StacSV . exe C:\WINDOWS\system32\svchost . exe C:\Program Files\Citrix\ICA Client\ssonsvr . exe C:\Program Files\Symantec AntiVirus\Rtvscan . exe C:\WINDOWS\Explorer . EXE C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer . exe C:\Program Files\Common Files\Symantec Shared\ccApp . exe C:\PROGRA~1\SYMANT~1\VPTray . exe C:\Program Files\Apoint\Apoint . exe C:\WINDOWS\system32\igfxtray . exe C:\WINDOWS\system32\hkcmd . exe C:\WINDOWS\system32\igfxpers . exe C:\WINDOWS\stsystra . exe C:\Program Files\Apoint\ApMsgFwd . exe C:\Program Files\Apoint\HidFind . exe C:\Program Files\Apoint\Apntex . exe C:\WINDOWS\system32\igfxsrvc . exe C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv . exe C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc . exe C:\Program Files\Windows Defender\MSASCui . exe C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper . exe C:\Program Files\Logitech\QuickCam\Quickcam . exe C:\WINDOWS\system32\ctfmon . exe C:\Program Files\Google\GoogleToolbarNotifier\1 . 2 . 1128 . 5462\G oogleToolbarNotifier . exe C:\Program Files\Spybot - Search & Destroy\TeaTimer . exe C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager . exe C:\Program Files\Internet Explorer\iexplore . exe C:\Program Files\Trend Micro\HijackThis\HijackThis . exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www . nzherald . co . nz/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = . microsoft . com/fwlink/?LinkId=69157" target="_blank">go . microsoft . com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = . microsoft . com/fwlink/?LinkId=54896" target="_blank">go . microsoft . com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = . microsoft . com/fwlink/?LinkId=54896" target="_blank">go . microsoft . com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = . microsoft . com/fwlink/?LinkId=69157" target="_blank">go . microsoft . com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = * . local R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\ Yahoo! \Companion\Installs\cpn\yt . dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7 . 0\ActiveX\AcroIEHelper . dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper . dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1 . dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1 . dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband . dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\ Yahoo! \Companion\Installs\cpn\yt . dll O4 - HKLM\ . . \Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp . exe" O4 - HKLM\ . . \Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray . exe O4 - HKLM\ . . \Run: [Apoint] C:\Program Files\Apoint\Apoint . exe O4 - HKLM\ . . \Run: [IgfxTray] C:\WINDOWS\system32\igfxtray . exe O4 - HKLM\ . . \Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd . exe O4 - HKLM\ . . \Run: [Persistence] C:\WINDOWS\system32\igfxpers . exe O4 - HKLM\ . . \Run: [SigmatelSysTrayApp] stsystra . exe O4 - HKLM\ . . \Run: [Update Background] C:\WINDOWS\system32\Updatebg . vbs O4 - HKLM\ . . \Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv . exe" O4 - HKLM\ . . \Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc . exe" O4 - HKLM\ . . \Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui . exe" -hide O4 - HKLM\ . . \Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN . EXE /logon O4 - HKLM\ . . \Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper . exe" O4 - HKLM\ . . \Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam . exe" /hide O4 - HKLM\ . . \Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan . exe O4 - HKCU\ . . \Run: [CTFMON . EXE] C:\WINDOWS\system32\ctfmon . exe O4 - HKCU\ . . \Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1 . 2 . 1128 . 5462\G oogleToolbarNotifier . exe O4 - HKCU\ . . \Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer . exe O4 - HKUS\S-1-5-19\ . . \Run: [CTFMON . EXE] C:\WINDOWS\system32\CTFMON . EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\ . . \Run: [CTFMON . EXE] C:\WINDOWS\system32\CTFMON . EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\ . . \Run: [CTFMON . EXE] C:\WINDOWS\system32\CTFMON . EXE (User 'SYSTEM') O4 - HKUS\ . DEFAULT\ . . \Run: [CTFMON . EXE] C:\WINDOWS\system32\CTFMON . EXE (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL . EXE/3000 O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource . dll/RC_AddToList . html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource . dll/RC_HSPrint . html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource . dll/RC_Preview . html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource . dll/RC_Print . html O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR . DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper . dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper . dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag . exe O9 - Extra 'Tools' menuitem: @xpsp3res . dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag . exe O9 - Extra button: @C:\Program Files\Messenger\Msgslang . dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs . exe O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang . dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs . exe O16 - DPF: {0002E520-0000-0000-C000-000000000046} (InstPivot) - . cab" target="_blank">sporcorpdevweb1 O16 - DPF: {00C7C2A0-8B82-11D1-8B57-00A0C98CD92B} (ActiveReports Viewer) - . cab" target="_blank">akwebair O16 - DPF: {0D6236AB-DBA2-11D1-B5DF-0060976089D0} (ComponentOne XArrayDB Object) - . cab" target="_blank">sporcorpdevweb1 O16 - DPF: {0ECD9B64-23AA-11D0-B351-00A0C9055D8E} (Microsoft Hierarchical FlexGrid Control6 . 0 (SP4) (OLEDB)) - . cab" target="_blank">sporcorpdevweb1 O16 - DPF: {1B476D45-C310-48F6-9BDD-A5072048CF5F} (MIT Word 2000 Step by Step Interactive) - . cab" target="_blank">mit O16 - DPF: {1D3B54A8-C3A0-4E79-AF6E-667042CD7C58} (Microsoft Windows XP Pro Step by Step Interactive) - . cab" target="_blank">mit O16 - DPF: {20DD1B9E-87C4-11D1-8BE3-0000F8754DA1} (Microsoft Date and Time Picker Control 6 . 0 (SP4)) - . cab" target="_blank">eporwebapp1 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\ Yahoo! \Common\yinsthelper . dll O16 - DPF: {34C6D274-3B98-11D4-8C00-00104B1C8A13} (WebeMail . eMail) - . CAB" target="_blank">swhesql1 O16 - DPF: {3A2B370C-BA0A-11D1-B137-0000F8753F5D} (Microsoft Chart Control 6 . 0 (SP4) (OLEDB)) - . cab" target="_blank">sporcorpdevweb1 O16 - DPF: {5CE71396-91B6-4779-A79B-D80A21DC31B1} (Microsoft Excel 2002 Step by Step Interactive) - . cab" target="_blank">mit O16 - DPF: {6262D3A0-531B-11CF-91F6-C2863C385E30} (Microsoft FlexGrid Control, version 6 . 0) - . cab" target="_blank">sporcorpdevweb1 O16 - DPF: {6962BD5E-B965-492B-9A86-707FE13D5E62} (MIT Office 2000 Step by Step Interactive) - . cab" target="_blank">mit O16 - DPF: {9101884B-6928-42AC-9452-5B8A4A942085} (MIT Outlook 2000 Step by Step Interactive) - . cab" target="_blank">mit O16 - DPF: {98B65D65-50B4-11D3-9441-54AC0EC10000} (ctSchedule Control 4 . 0) - . ocx" target="_blank">sporcorpdevweb1 O16 - DPF: {AA588AFE-1622-47BE-AA06-541E02DFA4D5} (MIT Access 2000 Step by Step Interactive) - . cab" target="_blank">mit O16 - DPF: {BDC217C5-ED16-11CD-956C-0000C04E4C0A} (Microsoft Tabbed Dialog Control 6 . 0 (SP4)) - . cab" target="_blank">sporcorpdevweb1 O16 - DPF: {BDD1F04B-858B-11D1-B16A-00C0F0283628} (Microsoft ListView Control 6 . 0 (SP6)) - . cab" target="_blank">sporcorpdevweb1 O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - . cab" target="_blank">streweb1 O16 - DPF: {C74190B6-8589-11D1-B16A-00C0F0283628} (Microsoft TreeView Control 6 . 0 (SP6)) - . cab" target="_blank">eporwebapp1 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - . macromedia . com/get/shockwave/cabs/flash/swflash . cab" target="_blank">fpdownload2 . macromedia . com O16 - DPF: {D491FB72-AC78-11D5-B233-00B0D020136A} (ArrivalDate . DateArrival) - . CAB" target="_blank">swhesql1 O16 - DPF: {DEF7CADC-83C0-11D0-A0F1-00A024703500} (True OLE DBGrid 7 Control) - . cab" target="_blank">sporcorpdevweb1 O16 - DPF: {E99D3E39-5D92-4360-BA86-2C563B3CFFEB} (Microsoft CMS HTML Editor Toolbar) - . airforce . dixs . mil . nz/CMS/WebAuthor/Client/PlaceholderControlSupport/nrdhtml . cab" target="_blank">www . airforce . dixs . mil . nz O16 - DPF: {F4658983-D500-4B3A-A437-01D6028AD922} (MIT Excel 2000 Step by Step Interactive) - . cab" target="_blank">mit O16 - DPF: {F5131C24-E56D-11CF-B78A-444553540000} (Ikonic Menu Control) - . cab" target="_blank">sporatlweb O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 6 . 0) - . cab" target="_blank">sporcorpdevweb1 O16 - DPF: {FDE14979-D821-4CD8-BE1C-9D6AF01D097F} (VMTOCCtrl Class) - . cab" target="_blank">dcsbhost O17 - HKLM\System\CCS\Services\Tcpip\ . . \{A0F4B9FF-14F7-4750-BA3A-D0017EFF380D}: NameServer = 10 . 0 . 1 . 1 O23 - Service: Apple Mobile Device - Apple, Inc . - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService . exe O23 - Service: Bonjour Service - Apple Inc . - C:\Program Files\Bonjour\mDNSResponder . exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr . exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr . exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch . exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService . exe O23 - Service: iPod Service - Apple Inc . - C:\Program Files\iPod\bin\iPodService . exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1 . EXE O23 - Service: LVCOMSer - Logitech Inc . - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer . exe O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc . - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv . exe O23 - Service: LVSrvLauncher - Logitech Inc . - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch . exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam . exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc . exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc . exe O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc . - C:\WINDOWS\system32\StacSV . exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan . exe -- End of file - 13325 bytes Thanks again	scottyc130 (13874)
678947	2008-06-18 08:56:00	If you dont know what this is, or if you didnt add it, tick this entry, then delete the file O4 - HKLM\..\Run: C:\WINDOWS\system32\[U]Updatebg.vbs This doesnt have to be in startup O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe	Speedy Gonzales (78)
678948	2008-06-18 09:31:00	Awesome, thanks very much for your time.	scottyc130 (13874)
678949	2008-06-18 09:42:00	No worries	Speedy Gonzales (78)
1