# Solved: xxxxx.exe Bad Image Messages



## Sheep (Aug 22, 2007)

I am getting these messages for presumably each application that loads on my Dell4400 running XP. The app or DLL C/windows/system32/perfc000.dat not a valid windows image.

This machine was previously badly infeceted and I've run free anti syware which solved the immediate probelsm whaich was uncontrollable webpage poup ups.NAV signufies that there is a virus in ny java program dir.

Can you please help? Is it time to reload XP?


----------



## Sheep (Aug 22, 2007)

xxxxx= sass.exe, userinit.exe, prismsvr.exe etc


----------



## MFDnNC (Sep 7, 2004)

*Click here* to download *HJTInstall.exe*

Save *HJTInstall.exe* to your desktop.
Doubleclick on the *HJTInstall.exe* icon on your desktop.
By default it will install to *C:\Program Files\Trend Micro\HijackThis* . 
Click on *Install*.
It will create a HijackThis icon on the desktop.
Once installed, it will launch *Hijackthis*.
Click on the *Do a system scan and save a logfile* button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
*DO NOT* have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


----------



## Sheep (Aug 22, 2007)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:33:16 PM, on 8/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\PRISMSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Lexmark 4300 Series\lxcemon.exe
C:\Program Files\Lexmark 4300 Series\ezprint.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\lxcecoms.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\NavNT\VPC32.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ws1.appswebservice.com/index.php?tpid=10292&ttid=104
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://ie.marketdart.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://cgi.verizon.net/bookmarks/bmredir.asp?region=west&bw=dialin&cd=2.1&bm=ho_home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O2 - BHO: (no name) - {006EB9F8-875D-4308-B953-9A6CEBE66671} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {30B88758-520E-4F09-82CD-E4CFA478BF74} - C:\WINDOWS\system32\moqyggka.dll (file missing)
O2 - BHO: (no name) - {3199AB47-11D8-467A-A140-6BE33A94FE95} - C:\WINDOWS\system32\dufztp.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [660Fz] C:\Documents and Settings\Chris\Local Settings\Temp\660Fz.exe
O4 - HKLM\..\Run: [n4g0] c:\documents and settings\chris\local settings\temp\n4g0.exe
O4 - HKLM\..\Run: [SvL5RRw0u] c:\documents and settings\chris\local settings\temp\SvL5RRw0u.exe
O4 - HKLM\..\Run: * c:\documents and settings\chris\local settings\temp\b.exe
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [LXCECATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,[email protected]
O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program Files\Lexmark 4300 Series\lxcemon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [PTRGMYGK] rundll32.exe ptmg1v.dll,DllRunMain
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernels32.exe
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\SYSTEM32\rwintsdv.exe SKY001
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\SYSTEM32\rwintsdv.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Search.vbs
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Whistle - {220E39C3-B081-4719-AB1A-9A884DCBD05C} - C:\Program Files\WhistleSoftware\WselServices\webband.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://secure.gestrip.com (HKLM)
O15 - Trusted Zone: http://update.randhi.com (HKLM)
O16 - DPF: {33331111-1111-1111-1111-615111193427} - 
O16 - DPF: {33331111-1131-1111-1111-611111193428} - 
O20 - AppInit_DLLs: C:\WINDOWS\system32\perfc000.dat
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: cbxurop - C:\WINDOWS\
O20 - Winlogon Notify: pmnnm - C:\WINDOWS\
O20 - Winlogon Notify: winzdn32 - C:\WINDOWS\
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PRISMSVC - Conexant Systems, Inc. - C:\WINDOWS\system32\PRISMSVC.EXE
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O24 - Desktop Component 0: (no name) - http://www.bbc.co.uk/england/webcams/live/manchester.jpg
O24 - Desktop Component 1: (no name) - http://www.bbc.co.uk/england/webcams/live/bushhouse.jpg
O24 - Desktop Component 2: (no name) - http://www.bbc.co.uk/england/webcams/live/newcastle.jpg
O24 - Desktop Component 3: (no name) - file:///C:/DOCUME~1/Chris/LOCALS~1/Temp/msohtml1/01/clip_image001.jpg
O24 - Desktop Component 4: (no name) - http://ie.marketdart.com/Assets/cab.jpg

--
End of file - 8556 bytes*


----------



## Sheep (Aug 22, 2007)

Firstly, thanks for your help again!

On the main machine (your last patient) I can see this thread.

On my son's damaged machine I can only see my first post and not your replies. Same website all updated . What's that about. This good machine using Firefox now. Son's is still IE.


----------



## Sheep (Aug 22, 2007)

A few days ago I did do some calen up folowwing your other posts. I ran and cleaned up HJT log, also vundofix and nolop.

It improved the situation but no cigar yet
Sheep


----------



## MFDnNC (Sep 7, 2004)

Clear all cookies

*NOTE: If you have downloaded ComboFix previously please delete that version and download it again!*

Download this file :

http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
or
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe

Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. *Post that log* 

Note: 
Do not mouseclick combofix's window while its running. That may cause it to stall

Check SuperAnti for updates and run it

Post a new hijack log


----------



## Sheep (Aug 22, 2007)

Please bear with me. I cannot run Combo.exe due to the bad image messages. Essentailly the same issue as canuhelpmepls from yesterday! I just get hung up. I didn't persevere to teh 138th click-call me a lazy slob. I guess I need to do teh safe mode deal but will await yr kind instructions. Thanks
Sheep


canuhelpmeplease wrote:
ok.
1. I double click on combo fix which is saved to my desktop.
2. When it opens i get the C:\WINDOWS\system32\cmd.exe command prompt and an error message called nircmd.exe Bad Image

The application or DLL C:\WINDOWS\System32\hrum167.txt is not a valid Windows image. Please check this against your installation diskette.
3. I click ok.
4. The same error then pops up again and again and again
5. After the 3rd "ok" click, the black prompt box turns blue.
6. After the 5th "ok" click, the blue prompt box says, Please Wait. Combo Fix is preparng to run.
7. After the 118th "ok" click, the blue prompt box says, Scanning for infected files..This typically doesn't take more than 10 minutes. Scan times for badly infected machines may easly double
8. When i say "ok" click im talking about the error message i stated above in #2
9. On the 138th "ok" click the blue prompt box says, ComboFix has changed your clock settings. Do not change it back. It shall be restored later
10. From there on i keep clicking ok on the error message and it keeps poping back up and theblue prompt box wont do anything else. It just sits there.


----------



## Sheep (Aug 22, 2007)

Am running superanti as instructed


----------



## MFDnNC (Sep 7, 2004)

Lets see after Super and a hijack log


----------



## Sheep (Aug 22, 2007)

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/24/2007 at 03:48 PM

Application Version : 3.9.1008

Core Rules Database Version : 3291
Trace Rules Database Version: 1302

Scan type : Complete Scan
Total Scan Time : 01:01:13

Memory items scanned : 495
Memory threats detected : 0
Registry items scanned : 4923
Registry threats detected : 0
File items scanned : 41188
File threats detected : 14

Trojan.Unknown Origin
C:\RECYCLER\S-1-5-21-440489858-2243138800-104724495-1007\DC1211\A0110267.EXE
C:\RECYCLER\S-1-5-21-440489858-2243138800-104724495-1007\DC1211\A0111261.EXE

Trojan.NewDotNet
C:\RECYCLER\S-1-5-21-440489858-2243138800-104724495-1007\DC1211\A0110268.EXE

Adware.SearchClickAds
C:\RECYCLER\S-1-5-21-440489858-2243138800-104724495-1007\DC1211\A0110269.EXE

Adware.DelFin Project
C:\RECYCLER\S-1-5-21-440489858-2243138800-104724495-1007\DC1211\A0110274.EXE

Trojan.NetMon/DNSChange
C:\RECYCLER\S-1-5-21-440489858-2243138800-104724495-1007\DC1211\A0110275.EXE

Trojan.ZenoSearch
C:\RECYCLER\S-1-5-21-440489858-2243138800-104724495-1007\DC1211\A0110276.EXE

Trojan.Downloader-Gen/Mandingo
C:\RECYCLER\S-1-5-21-440489858-2243138800-104724495-1007\DC1211\A0111258.EXE

Trojan.Downloader-SVCHost/Fake
C:\RECYCLER\S-1-5-21-440489858-2243138800-104724495-1007\DC1211\A0111259.EXE

TargetSaver, Inc. Process
C:\RECYCLER\S-1-5-21-440489858-2243138800-104724495-1007\DC1211\A0111262.EXE
C:\RECYCLER\S-1-5-21-440489858-2243138800-104724495-1007\DC1211\A0111263.EXE
C:\RECYCLER\S-1-5-21-440489858-2243138800-104724495-1007\DC1211\A0111266.EXE

Trojan.Downloader-OFB11
C:\RECYCLER\S-1-5-21-440489858-2243138800-104724495-1007\DC1211\A0111268.EXE

Trojan.Downloader-WebBuying/PopEngine
C:\RECYCLER\S-1-5-21-440489858-2243138800-104724495-1007\DC1215\A0108699.DLL


----------



## Sheep (Aug 22, 2007)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:58:41 PM, on 8/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\PRISMSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Lexmark 4300 Series\lxcemon.exe
C:\Program Files\Lexmark 4300 Series\ezprint.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\lxcecoms.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://ie.marketdart.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://cgi.verizon.net/bookmarks/bmredir.asp?region=west&bw=dialin&cd=2.1&bm=ho_home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O2 - BHO: (no name) - {006EB9F8-875D-4308-B953-9A6CEBE66671} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {30B88758-520E-4F09-82CD-E4CFA478BF74} - C:\WINDOWS\system32\moqyggka.dll (file missing)
O2 - BHO: (no name) - {3199AB47-11D8-467A-A140-6BE33A94FE95} - C:\WINDOWS\system32\dufztp.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [660Fz] C:\Documents and Settings\Chris\Local Settings\Temp\660Fz.exe
O4 - HKLM\..\Run: [n4g0] c:\documents and settings\chris\local settings\temp\n4g0.exe
O4 - HKLM\..\Run: [SvL5RRw0u] c:\documents and settings\chris\local settings\temp\SvL5RRw0u.exe
O4 - HKLM\..\Run: * c:\documents and settings\chris\local settings\temp\b.exe
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [LXCECATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,[email protected]
O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program Files\Lexmark 4300 Series\lxcemon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [PTRGMYGK] rundll32.exe ptmg1v.dll,DllRunMain
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\SYSTEM32\rwintsdv.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Search.vbs
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Whistle - {220E39C3-B081-4719-AB1A-9A884DCBD05C} - C:\Program Files\WhistleSoftware\WselServices\webband.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://secure.gestrip.com (HKLM)
O15 - Trusted Zone: http://update.randhi.com (HKLM)
O16 - DPF: {33331111-1111-1111-1111-615111193427} - 
O16 - DPF: {33331111-1131-1111-1111-611111193428} - 
O20 - AppInit_DLLs: C:\WINDOWS\system32\perfc000.dat
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: cbxurop - C:\WINDOWS\
O20 - Winlogon Notify: pmnnm - C:\WINDOWS\
O20 - Winlogon Notify: winzdn32 - C:\WINDOWS\
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PRISMSVC - Conexant Systems, Inc. - C:\WINDOWS\system32\PRISMSVC.EXE
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O24 - Desktop Component 0: (no name) - http://www.bbc.co.uk/england/webcams/live/manchester.jpg
O24 - Desktop Component 1: (no name) - http://www.bbc.co.uk/england/webcams/live/bushhouse.jpg
O24 - Desktop Component 2: (no name) - http://www.bbc.co.uk/england/webcams/live/newcastle.jpg
O24 - Desktop Component 3: (no name) - file:///C:/DOCUME~1/Chris/LOCALS~1/Temp/msohtml1/01/clip_image001.jpg
O24 - Desktop Component 4: (no name) - http://ie.marketdart.com/Assets/cab.jpg

--
End of file - 8129 bytes*


----------



## MFDnNC (Sep 7, 2004)

DO NOT PM ME!!!!!!!!!!!!!POst in in the thread!

That entry is the least of your worries!

===========================

You may want to print this or save it to notepad as we will go to safe mode.

Fix these with HiJackThis  mark them, close IE, click fix checked

O2 - BHO: (no name) - {006EB9F8-875D-4308-B953-9A6CEBE66671} - (no file)

O2 - BHO: (no name) - {30B88758-520E-4F09-82CD-E4CFA478BF74} - C:\WINDOWS\system32\moqyggka.dll (file missing)

O2 - BHO: (no name) - {3199AB47-11D8-467A-A140-6BE33A94FE95} - C:\WINDOWS\system32\dufztp.dll (file missing)

O4 - HKLM\..\Run: [660Fz] C:\Documents and Settings\Chris\Local Settings\Temp\660Fz.exe

O4 - HKLM\..\Run: [n4g0] c:\documents and settings\chris\local settings\temp\n4g0.exe

O4 - HKLM\..\Run: [SvL5RRw0u] c:\documents and settings\chris\local settings\temp\SvL5RRw0u.exe

O4 - HKLM\..\Run: * c:\documents and settings\chris\local settings\temp\b.exe

O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1

O4 - HKLM\..\Run: [PTRGMYGK] rundll32.exe ptmg1v.dll,DllRunMain

O4 - Startup: PowerReg Scheduler.exe

O4 - Startup: Think-Adz.lnk = C:\WINDOWS\SYSTEM32\rwintsdv.exe

O15 - Trusted Zone: http://secure.gestrip.com (HKLM)

O15 - Trusted Zone: http://update.randhi.com (HKLM)

O16 - DPF: {33331111-1111-1111-1111-615111193427} 

O16 - DPF: {33331111-1131-1111-1111-611111193428} 

O20 - AppInit_DLLs: C:\WINDOWS\system32\perfc000.dat

O20 - Winlogon Notify: cbxurop - C:\WINDOWS\

O20 - Winlogon Notify: pmnnm - C:\WINDOWS\

O20 - Winlogon Notify: winzdn32 - C:\WINDOWS\

DownLoad http://www.downloads.subratam.org/KillBox.zip or
http://www.thespykiller.co.uk/files/killbox.exe

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following line(s) one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINDOWS\system32\perfc000.dat
C:\WINDOWS\SYSTEM32\rwintsdv.exe
C:\Documents and Settings\Chris\Local Settings\Temp\660Fz.exe
c:\documents and settings\chris\local settings\temp\n4g0.exe
c:\documents and settings\chris\local settings\temp\SvL5RRw0u.exe
c:\documents and settings\chris\local settings\temp\b.exe

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

START  RUN  type in %temp% - OK - Edit  Select all  File  Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Not all temp files will delete and that is normal
Empty the recycle bin
Boot and post a new hijack log from normal NOT safe mode

 How are things on the PC??????????? *


----------



## Sheep (Aug 22, 2007)

Sorry for the PM's my inexperience.

Latest log below. All looking good!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:50:35 PM, on 8/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\PRISMSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Lexmark 4300 Series\lxcemon.exe
C:\Program Files\Lexmark 4300 Series\ezprint.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\system32\lxcecoms.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://ie.marketdart.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://cgi.verizon.net/bookmarks/bmredir.asp?region=west&bw=dialin&cd=2.1&bm=ho_home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [LXCECATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,[email protected]
O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program Files\Lexmark 4300 Series\lxcemon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Search.vbs
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Whistle - {220E39C3-B081-4719-AB1A-9A884DCBD05C} - C:\Program Files\WhistleSoftware\WselServices\webband.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PRISMSVC - Conexant Systems, Inc. - C:\WINDOWS\system32\PRISMSVC.EXE
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O24 - Desktop Component 0: (no name) - http://www.bbc.co.uk/england/webcams/live/manchester.jpg
O24 - Desktop Component 1: (no name) - http://www.bbc.co.uk/england/webcams/live/bushhouse.jpg
O24 - Desktop Component 2: (no name) - http://www.bbc.co.uk/england/webcams/live/newcastle.jpg
O24 - Desktop Component 3: (no name) - file:///C:/DOCUME~1/Chris/LOCALS~1/Temp/msohtml1/01/clip_image001.jpg
O24 - Desktop Component 4: (no name) - http://ie.marketdart.com/Assets/cab.jpg

--
End of file - 6878 bytes


----------



## MFDnNC (Sep 7, 2004)

You may want to print this or save it to notepad as we will go to safe mode.

Fix these with HiJackThis  mark them, close IE, click fix checked

O4 - Global Startup: Search.vbs

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
================
Click Start > Run > and type in:

services.msc

Click OK.

In the services window find this exact name

System Startup Service

Rightclick and choose "Properties". Beside "Startup Type" in the dropdown menu select "Disabled". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Click Apply then OK. File-Exit the Services utility.

=============
DownLoad http://www.downloads.subratam.org/KillBox.zip or
http://www.thespykiller.co.uk/files/killbox.exe

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following line(s) one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Search.vbs

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

START  RUN  type in %temp% - OK - Edit  Select all  File  Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Not all temp files will delete and that is normal
Empty the recycle bin
Boot and post a new hijack log from normal NOT safe mode

* How are things on the PC??????????? *


----------



## Sheep (Aug 22, 2007)

Search.vbs file not found but followed yr instructions to the letter.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:38:24 PM, on 8/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\PRISMSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Lexmark 4300 Series\lxcemon.exe
C:\Program Files\Lexmark 4300 Series\ezprint.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\lxcecoms.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://ie.marketdart.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://cgi.verizon.net/bookmarks/bmredir.asp?region=west&bw=dialin&cd=2.1&bm=ho_home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [LXCECATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,[email protected]
O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program Files\Lexmark 4300 Series\lxcemon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Whistle - {220E39C3-B081-4719-AB1A-9A884DCBD05C} - C:\Program Files\WhistleSoftware\WselServices\webband.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PRISMSVC - Conexant Systems, Inc. - C:\WINDOWS\system32\PRISMSVC.EXE
O24 - Desktop Component 0: (no name) - http://www.bbc.co.uk/england/webcams/live/manchester.jpg
O24 - Desktop Component 1: (no name) - http://www.bbc.co.uk/england/webcams/live/bushhouse.jpg
O24 - Desktop Component 2: (no name) - http://www.bbc.co.uk/england/webcams/live/newcastle.jpg
O24 - Desktop Component 3: (no name) - file:///C:/DOCUME~1/Chris/LOCALS~1/Temp/msohtml1/01/clip_image001.jpg
O24 - Desktop Component 4: (no name) - http://ie.marketdart.com/Assets/cab.jpg

--
End of file - 6706 bytes


----------



## MFDnNC (Sep 7, 2004)

Clean








If you feel its is fixed mark it solved via Thread Tools above

Turn off restore points, boot, turn them back on  heres how

http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam

This clears infected restore points and sets a new, clean one.


----------



## Sheep (Aug 22, 2007)

Thank you very much for your perseverance and help. I cannot thank you enough. Now ready for back to school.

Sheep


----------

