Virus and BSOD help needed.

Kesava

Kesava

Active Member
This morning I started the computer to find 2 shortcuts on my desktop.

Untitled-2.jpg


I had no idea where they had come from so I thought I should do a virus scan and so on so I installed Kaspersky and ran Hijackthis. Since then I have been unable to complete a full scan because of BSOD's which while not that frequent, still happen before a scan can complete.

My hijackthis log showed something called promo.exe in the system32 folder. I had never seen it before. The icon is of a shield like the win security one and then it popped up in the taskbar telling me there was a security threat and that i should do blah blah. So this program must have put the shortcuts there and is some sort of adware i guess. When i click the desktop shortcuts, which are url links, it takes me to a site and then wants to download some antispyware program. But none of it is legit.

Anyway I deleted the entry in Hijackthis but then when i restartted the shortcuts were back and so was promo.exe.

No idea what to do... trying to scan with Kaspersky but it doesnt seem to be finding anything.

Here is my hijackthis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:42:04 AM, on 16/12/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\WerFault.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\System32\promo.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Users\Kesava\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Users\Kesava\Desktop\HiJackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_au&c=81&bd=Presario&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_au&c=81&bd=Presario&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_au&c=81&bd=Presario&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_au&c=81&bd=Presario&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files\Windows Live\Messenger\wlchtc.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" update "Software\CyberLink\YouCam\1.0"
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKLM\..\Run: [promo] C:\Windows\system32\promo.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Users\Kesava\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [dgmlp] %systemroot%\system32\dgmlp.exe 30 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [dgmlp] %systemroot%\system32\dgmlp.exe 30 (User 'Default user')
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{11CF0D4A-08F1-4AFD-BBFD-CCDB4227C00B}: NameServer = 172.17.241.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{1AA8DBD6-5A30-424F-B238-D41730331642}: NameServer = 172.17.241.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{11CF0D4A-08F1-4AFD-BBFD-CCDB4227C00B}: NameServer = 172.17.241.2
O17 - HKLM\System\CS2\Services\Tcpip\..\{11CF0D4A-08F1-4AFD-BBFD-CCDB4227C00B}: NameServer = 172.17.241.2
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software GmbH - C:\Windows\System32\TuneUpDefragService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9083 bytes


Thanks for the help :)
 
Last edited:
It didn't find anything.

Malwarebytes' Anti-Malware 1.31
Database version: 1504
Windows 6.0.6001 Service Pack 1

16/12/2008 12:03:29 PM
mbam-log-2008-12-16 (12-03-29).txt

Scan type: Quick Scan
Objects scanned: 49645
Time elapsed: 7 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:04:54 PM, on 16/12/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\System32\promo.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Users\Kesava\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Users\Kesava\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_au&c=81&bd=Presario&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_au&c=81&bd=Presario&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_au&c=81&bd=Presario&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_au&c=81&bd=Presario&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files\Windows Live\Messenger\wlchtc.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" update "Software\CyberLink\YouCam\1.0"
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKLM\..\Run: [promo] C:\Windows\system32\promo.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Users\Kesava\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [dgmlp] %systemroot%\system32\dgmlp.exe 30 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [dgmlp] %systemroot%\system32\dgmlp.exe 30 (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{11CF0D4A-08F1-4AFD-BBFD-CCDB4227C00B}: NameServer = 172.17.241.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{1AA8DBD6-5A30-424F-B238-D41730331642}: NameServer = 172.17.241.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{11CF0D4A-08F1-4AFD-BBFD-CCDB4227C00B}: NameServer = 172.17.241.2
O17 - HKLM\System\CS2\Services\Tcpip\..\{11CF0D4A-08F1-4AFD-BBFD-CCDB4227C00B}: NameServer = 172.17.241.2
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software GmbH - C:\Windows\System32\TuneUpDefragService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9087 bytes
 
Are there any new programs in your Add/Remove list? You may be able to uninstall it.
 
Nope nothing new installed that I can think of or see.

No scanners seem to be finding it...

I'll get spybot and scan with that just in case.

Any other ideas?
 
You can try Combofix. I did a quick search at SpywareInfo. Couldn't find anything regarding promo.exe.

You can manually delete the file, and remove the following entry with HiJackThis: O4 - HKLM\..\Run: [promo] C:\Windows\system32\promo.exe

Everything else looks okay, although Buzz or ceewi1 would know better.
 
Last edited:
I've tried everything, even used system restore to go back to yesterday when nothing was going wrong. Its still here.

What can I do? Here is the combofix log:

ComboFix 08-12-15.03 - Kesava 2008-12-16 13:14:12.1 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.1013.286 [GMT 11:00]
Running from: c:\users\Kesava\Desktop\ComboFix.exe
.
/wow section - STAGE 1
Access is denied.


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\dgmcrrx.dll
c:\windows\system32\dgmwqsc.dll
c:\windows\system32\drivers\dgmmbcb.sys
c:\windows\system32\KBL.LOG
c:\windows\system32\x64

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_DGMSERV.SYS


((((((((((((((((((((((((( Files Created from 2008-11-16 to 2008-12-16 )))))))))))))))))))))))))))))))
.

2008-12-16 11:55 . 2008-12-16 11:55 <DIR> d-------- c:\users\Kesava\AppData\Roaming\Malwarebytes
2008-12-16 11:55 . 2008-12-03 19:52 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2008-12-16 11:54 . 2008-12-16 11:54 <DIR> d-------- c:\users\All Users\Malwarebytes
2008-12-16 11:54 . 2008-12-16 11:54 <DIR> d-------- c:\programdata\Malwarebytes
2008-12-16 11:54 . 2008-12-16 11:55 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-16 11:54 . 2008-12-03 19:52 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2008-12-16 10:38 . 2008-12-16 11:23 185,239,894 --a------ c:\windows\MEMORY.DMP
2008-12-16 08:54 . 2008-12-16 08:54 96,976 --a------ c:\windows\System32\drivers\klin.dat
2008-12-16 08:54 . 2008-12-16 08:54 87,855 --a------ c:\windows\System32\drivers\klick.dat
2008-12-16 08:51 . 2008-12-16 13:28 <DIR> d-------- c:\users\All Users\Kaspersky Lab
2008-12-16 08:51 . 2008-12-16 13:28 <DIR> d-------- c:\programdata\Kaspersky Lab
2008-12-16 08:51 . 2008-12-16 08:51 <DIR> d-------- c:\program files\Kaspersky Lab
2008-12-16 08:51 . 2008-12-16 13:29 4,186,144 --ahs---- c:\windows\System32\drivers\fidbox.dat
2008-12-16 08:51 . 2008-12-16 13:25 393,248 --ahs---- c:\windows\System32\drivers\fidbox2.dat
2008-12-16 08:51 . 2008-12-16 13:25 34,832 --ahs---- c:\windows\System32\drivers\fidbox.idx
2008-12-16 08:51 . 2008-12-16 13:25 2,424 --ahs---- c:\windows\System32\drivers\fidbox2.idx
2008-12-16 08:47 . 2008-12-16 08:47 <DIR> d-------- c:\users\All Users\Kaspersky Lab Setup Files
2008-12-16 08:47 . 2008-12-16 08:47 <DIR> d-------- c:\programdata\Kaspersky Lab Setup Files
2008-12-16 08:31 . 2008-12-16 08:28 102,664 --a------ c:\windows\System32\drivers\tmcomm.sys
2008-12-16 08:27 . 2008-12-16 08:33 <DIR> d-------- c:\users\Kesava\.housecall6.6
2008-12-15 08:00 . 2008-12-16 09:21 30,208 --a------ c:\windows\System32\promo.exe
2008-12-14 20:32 . 2008-12-14 20:32 0 --ah----- c:\windows\System32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2008-12-14 13:17 . 2008-12-16 09:22 102,134 --a------ c:\windows\System32\dgmlurl2.ico
2008-12-14 13:17 . 2008-12-16 09:22 102,134 --a------ c:\windows\System32\dgmlurl1.ico
2008-12-14 13:17 . 2008-12-14 13:17 30,208 --a------ c:\windows\System32\dgmlp.exe
2008-12-11 18:37 . 2008-01-19 16:49 6,144 --a------ c:\windows\System32\drivers\beep.sys
2008-12-11 18:34 . 2008-12-11 18:34 <DIR> d-------- c:\program files\Xilisoft
2008-12-10 09:11 . 2008-12-10 11:18 <DIR> d-------- c:\users\Kesava\AppData\Roaming\Download Manager
2008-12-10 07:16 . 2008-10-22 12:22 2,048 --a------ c:\windows\System32\tzres.dll
2008-12-10 06:47 . 2008-11-01 12:21 4,240,384 --a------ c:\windows\System32\GameUXLegacyGDFs.dll
2008-12-10 06:47 . 2008-10-21 16:25 296,960 --a------ c:\windows\System32\gdi32.dll
2008-12-10 06:47 . 2008-11-01 14:44 28,672 --a------ c:\windows\System32\Apphlpdm.dll
2008-12-10 06:46 . 2008-10-29 17:29 2,927,104 --a------ c:\windows\explorer.exe
2008-12-10 06:46 . 2008-10-16 13:23 1,383,424 --a------ c:\windows\System32\mshtml.tlb
2008-12-10 06:46 . 2008-10-16 15:47 827,392 --a------ c:\windows\System32\wininet.dll
2008-12-10 06:45 . 2008-06-23 12:59 2,868,736 --a------ c:\windows\System32\mf.dll
2008-12-10 06:45 . 2008-06-23 12:59 996,352 --a------ c:\windows\System32\WMNetMgr.dll
2008-12-10 06:45 . 2008-06-23 12:58 94,720 --a------ c:\windows\System32\logagent.exe
2008-12-06 09:11 . 2008-12-06 09:11 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2008-12-06 09:07 . 2008-12-06 09:08 <DIR> d-------- c:\program files\Common Files\Adobe
2008-11-30 15:39 . 2008-11-30 15:40 <DIR> dr------- c:\program files\TypingMaster
2008-11-30 15:21 . 2008-11-10 05:43 410,984 --a------ c:\windows\System32\deploytk.dll
2008-11-30 09:08 . 2008-12-02 07:42 <DIR> d-------- c:\users\Kesava\AppData\Roaming\Xfire
2008-11-30 09:07 . 2008-12-05 08:27 <DIR> d-------- c:\users\All Users\Xfire
2008-11-30 09:07 . 2008-12-05 08:27 <DIR> d-------- c:\programdata\Xfire
2008-11-30 09:07 . 2008-11-30 09:08 <DIR> d-------- c:\program files\Xfire
2008-11-30 09:06 . 2008-12-01 16:28 <DIR> d-------- c:\program files\Steam
2008-11-30 09:06 . 2008-12-01 16:28 <DIR> d-------- c:\program files\Common Files\Steam
2008-11-29 18:39 . 2008-11-29 18:40 <DIR> d-------- c:\users\Kesava\AppData\Roaming\Ventrilo
2008-11-29 18:38 . 2008-11-29 18:38 <DIR> d-------- c:\program files\Ventrilo
2008-11-29 18:38 . 2008-11-29 18:38 262 --a------ c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2008-11-26 14:11 . 2008-11-26 14:11 <DIR> d-------- c:\users\Kesava\AppData\Roaming\Foxit
2008-11-26 14:11 . 2008-12-06 08:44 <DIR> d-------- c:\program files\Foxit Software
2008-11-26 07:11 . 2008-10-21 16:25 1,645,568 --a------ c:\windows\System32\connect.dll
2008-11-26 07:11 . 2008-08-28 14:40 712,704 --a------ c:\windows\System32\WindowsCodecs.dll
2008-11-26 07:11 . 2008-08-28 14:40 425,472 --a------ c:\windows\System32\PhotoMetadataHandler.dll
2008-11-26 07:11 . 2008-08-28 14:40 347,136 --a------ c:\windows\System32\WindowsCodecsExt.dll
2008-11-26 07:11 . 2008-10-22 14:57 241,152 --a------ c:\windows\System32\PortableDeviceApi.dll
2008-11-25 08:33 . 2008-11-25 08:34 <DIR> d-------- c:\users\All Users\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-25 08:33 . 2008-11-25 08:34 <DIR> d-------- c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-25 08:33 . 2008-11-25 08:33 <DIR> d-------- c:\program files\iPod
2008-11-25 08:30 . 2008-11-25 08:31 <DIR> d-------- c:\program files\QuickTime
2008-11-21 16:21 . 2008-11-22 09:19 <DIR> d-------- c:\program files\Google
2008-11-21 07:45 . 2008-11-21 07:45 42,320 --a------ c:\windows\System32\xfcodec.dll
2008-11-19 13:01 . 2008-10-17 08:13 1,809,944 --a------ c:\windows\System32\wuaueng.dll
2008-11-19 13:01 . 2008-10-17 07:56 1,524,736 --a------ c:\windows\System32\wucltux.dll
2008-11-19 13:01 . 2008-10-17 08:12 561,688 --a------ c:\windows\System32\wuapi.dll
2008-11-19 13:01 . 2008-10-16 14:08 162,064 --a------ c:\windows\System32\wuwebv.dll
2008-11-19 13:01 . 2008-10-17 07:55 83,456 --a------ c:\windows\System32\wudriver.dll
2008-11-19 13:01 . 2008-10-17 08:09 51,224 --a------ c:\windows\System32\wuauclt.exe
2008-11-19 13:01 . 2008-10-17 08:09 43,544 --a------ c:\windows\System32\wups2.dll
2008-11-19 13:01 . 2008-10-17 08:08 34,328 --a------ c:\windows\System32\wups.dll
2008-11-19 13:01 . 2008-10-16 13:56 31,232 --a------ c:\windows\System32\wuapp.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-15 04:23 --------- d-----w c:\users\Kesava\AppData\Roaming\uTorrent
2008-12-15 03:37 --------- d-----w c:\users\Kesava\AppData\Roaming\FrostWire
2008-12-14 05:43 --------- d-----w c:\users\Kesava\AppData\Roaming\dvdcss
2008-12-11 07:35 --------- d-----w c:\users\Kesava\AppData\Roaming\Xilisoft Corporation
2008-12-11 03:33 --------- d-----w c:\users\Kesava\AppData\Roaming\Apple Computer
2008-12-09 20:34 --------- d-----w c:\program files\Windows Mail
2008-12-09 20:22 --------- d-----w c:\programdata\Microsoft Help
2008-12-02 20:39 --------- d-----w c:\program files\Java
2008-11-30 02:26 --------- d-----w c:\users\Kesava\AppData\Roaming\vlc
2008-11-29 07:37 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-26 09:35 --------- d-----w c:\program files\iTunes
2008-11-24 21:33 --------- d-----w c:\program files\Common Files\Apple
2008-11-24 04:10 --------- d-----w c:\program files\FrostWire
2008-11-24 02:09 --------- d-----w c:\users\Kesava\AppData\Roaming\Skype
2008-11-24 02:04 --------- d-----w c:\users\Kesava\AppData\Roaming\skypePM
2008-11-12 05:53 --------- d-----w c:\program files\StorageCrypt v2.0
2008-11-12 05:36 --------- d-----w c:\programdata\TrueCrypt
2008-11-12 02:28 --------- d-----w c:\program files\Sony Corporation
2008-11-11 21:14 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-11 21:01 --------- d-----w c:\program files\THQ
2008-11-11 09:00 218,376 ----a-w c:\windows\System32\klogon.dll
2008-11-11 08:58 25,601 ----a-w c:\windows\system32\drivers\klopp.dat
2008-11-10 03:01 --------- d-----w c:\program files\RocketDock
2008-11-10 02:42 --------- d-----w c:\program files\7-Zip
2008-11-10 02:22 --------- d-----w c:\program files\Microsoft.NET
2008-11-10 02:14 --------- d-----w c:\program files\Microsoft Small Business
2008-11-09 11:12 --------- d-----w c:\program files\uTorrent
2008-11-07 22:58 --------- d-----w c:\program files\Microsoft Works
2008-11-07 22:34 --------- d-----w c:\programdata\Spybot - Search & Destroy
2008-11-07 22:30 --------- d-----w c:\programdata\CyberLink
2008-11-07 22:30 --------- d-----w c:\program files\HP
2008-11-07 09:36 --------- d-----w c:\users\Robyn\AppData\Roaming\dvdcss
2008-11-07 08:40 --------- d-----w c:\users\Robyn\AppData\Roaming\FlashGet
2008-11-07 08:40 --------- d-----w c:\users\Robyn\AppData\Roaming\ESET
2008-11-05 21:35 --------- d-----w c:\users\Kesava\AppData\Roaming\ESET
2008-11-05 21:31 --------- d-----w c:\programdata\ESET
2008-11-05 11:08 --------- d-----w c:\programdata\Skype
2008-11-05 11:08 --------- d-----w c:\program files\Common Files\Skype
2008-11-05 11:08 --------- d-----r c:\program files\Skype
2008-11-05 10:38 --------- d-----w c:\users\Kesava\AppData\Roaming\FlashGet
2008-11-05 10:31 2,560 ----a-w c:\windows\_MSRSTRT.EXE
2008-11-05 10:31 --------- d---a-w c:\programdata\TEMP
2008-11-05 10:22 --------- d-----w c:\users\Robyn\AppData\Roaming\vlc
2008-11-05 06:39 --------- d-----w c:\program files\CCleaner
2008-11-05 02:04 --------- d-----w c:\users\Kesava\AppData\Roaming\Azureus
2008-11-05 00:32 --------- d-----w c:\program files\Total Video Converter
2008-11-04 07:21 --------- d-----w c:\programdata\Office Genuine Advantage
2008-11-01 07:56 --------- d-----w c:\users\Kesava\AppData\Roaming\Vidalia
2008-11-01 07:56 --------- d-----w c:\users\Kesava\AppData\Roaming\tor
2008-11-01 03:44 541,696 ----a-w c:\windows\AppPatch\AcLayers.dll
2008-11-01 03:44 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll
2008-11-01 03:44 460,288 ----a-w c:\windows\AppPatch\AcSpecfc.dll
2008-11-01 03:44 2,154,496 ----a-w c:\windows\AppPatch\AcGenral.dll
2008-11-01 03:44 173,056 ----a-w c:\windows\AppPatch\AcXtrnal.dll
2008-10-31 01:15 717,296 ----a-w c:\windows\system32\drivers\sptd.sys
2008-10-31 01:15 --------- d-----w c:\users\Kesava\AppData\Roaming\DAEMON Tools
2008-10-31 00:51 --------- d-----w c:\users\Kesava\AppData\Roaming\CyberLink
2008-10-30 22:17 --------- d-----w c:\programdata\SpeedBit
2008-10-25 00:36 --------- d-----w c:\program files\TuneUp Utilities 2008
2008-10-24 23:28 355,584 ----a-w c:\windows\System32\TuneUpDefragService.exe
2008-10-24 23:28 --------- d-----w c:\users\Kesava\AppData\Roaming\TuneUp Software
2008-10-24 23:27 --------- d-----w c:\programdata\TuneUp Software
2008-10-21 22:01 --------- d-----w c:\programdata\Azureus
2008-10-21 12:12 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-21 09:31 --------- d-----w c:\programdata\DVD Shrink
2008-10-21 05:25 --------- d-----w c:\programdata\Apple Computer
2008-10-21 05:24 --------- d-----w c:\program files\Bonjour
2008-10-21 05:21 --------- d-----w c:\program files\Apple Software Update
2008-10-21 05:19 --------- d-----w c:\programdata\Apple
2008-10-21 03:48 --------- d-----w c:\program files\DVD Shrink
2008-10-21 03:32 --------- d-----w c:\users\Kesava\AppData\Roaming\TypingMaster7
2008-10-21 03:02 --------- d-----w c:\users\Kesava\AppData\Roaming\HP
2008-10-17 07:29 0 ---ha-w c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-10-16 22:04 --------- d-----w c:\program files\Apoint2K
2008-10-16 21:49 --------- d-----w c:\program files\CONEXANT
2008-10-13 08:14 174 --sha-w c:\program files\desktop.ini
2008-10-13 07:36 82,432 ----a-w c:\windows\System32\axaltocm.dll
2008-10-13 07:36 101,888 ----a-w c:\windows\System32\ifxcardm.dll
2008-10-08 16:33 27,176 ----a-w c:\windows\snuvcdsm.exe
2008-10-08 16:28 195,112 ----a-w c:\windows\System32\csnp2uvc.dll
2008-09-30 05:43 1,286,152 ----a-w c:\windows\System32\msxml4.dll
2008-09-18 05:09 3,601,464 ----a-w c:\windows\System32\ntkrnlpa.exe
2008-09-18 05:09 3,549,240 ----a-w c:\windows\System32\ntoskrnl.exe
2008-09-18 04:56 147,456 ----a-w c:\windows\System32\Faultrep.dll
2008-09-18 04:56 125,952 ----a-w c:\windows\System32\wersvc.dll
2008-09-18 02:16 2,032,640 ----a-w c:\windows\System32\win32k.sys
2008-03-31 21:59 32 ----a-w c:\users\All Users\ezsid.dat
2008-03-31 21:59 32 ----a-w c:\programdata\ezsid.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2008-09-09 3513344]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"Google Update"="c:\users\Kesava\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-11-20 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-10-25 212992]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-04 178712]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-09-28 202032]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-09-14 222504]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-06-02 80896]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-10-04 480560]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-11 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-11 133656]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2008-11-11 206088]
"promo"="c:\windows\system32\promo.exe" [2008-12-16 30208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"dgmlp"="c:\windows\system32\dgmlp.exe" [2008-12-14 30208]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\KASPER~1\KASPER~1\mzvkbd.dll,c:\progra~1\KASPER~1\KASPER~1\mzvkbd3.dll,c:\progra~1\KASPER~1\KASPER~1\adialhk.dll,c:\progra~1\KASPER~1\KASPER~1\kloehk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3codecp"= l3codecp.acm
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1639029899-3317176886-3506297400-1003]
"EnableNotificationsRef"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1639029899-3317176886-3506297400-1004]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{A5EAC1B6-A448-434C-A2A9-95BAA0E2641A}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{699BBAB6-F545-414D-BE21-1EC36E99D783}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{D005DF3B-EDC7-49F8-B72A-BF4331A3ADC7}"= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{C348C549-465E-4E27-BC63-5854E6E1CDEA}"= Disabled:UDP:c:\program files\Skype\Phone\Skype.exe:Skype
"{B1B11F5F-419A-42F7-8390-90177EC52B65}"= Disabled:TCP:c:\program files\Skype\Phone\Skype.exe:Skype
"{FEB0B0DB-22D2-42E5-B885-AA04A7412D23}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{645FDB70-7CE0-48CE-955E-7E2BFE64BF9B}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{36B19FB1-261E-45AB-8D8A-2014B6AC6B8C}c:\\program files\\vuze\\azureus.exe"= UDP:c:\program files\vuze\azureus.exe:Azureus
"UDP Query User{48F381CB-D8A7-4D55-B06F-B5A3019769A4}c:\\program files\\vuze\\azureus.exe"= TCP:c:\program files\vuze\azureus.exe:Azureus
"TCP Query User{01F6A292-0102-4B4E-B477-02161FBE3F47}c:\\program files\\joost\\xulrunner\\tvprunner.exe"= Disabled:UDP:c:\program files\joost\xulrunner\tvprunner.exe:tvprunner
"UDP Query User{0F2556E9-AD6D-411F-85A1-7B9EEF22D1BD}c:\\program files\\joost\\xulrunner\\tvprunner.exe"= Disabled:TCP:c:\program files\joost\xulrunner\tvprunner.exe:tvprunner
"TCP Query User{ACDA29F9-AFEC-4D70-BBA1-A82A53B8ACF0}c:\\program files\\vuze\\azureus.exe"= UDP:c:\program files\vuze\azureus.exe:Azureus
"UDP Query User{8D38A321-06FF-4D54-BFA3-CE998ED629F9}c:\\program files\\vuze\\azureus.exe"= TCP:c:\program files\vuze\azureus.exe:Azureus
"{A65F4361-169C-496E-B6DA-40B57AE5CA2F}"= UDP:c:\program files\FrostWire\FrostWire.exe:FrostWire
"{8E5F6A84-0E24-4ACD-A2C9-EFE9C435D56E}"= TCP:c:\program files\FrostWire\FrostWire.exe:FrostWire
"{F76101FB-EC13-455A-97AC-2692230F572A}"= Disabled:UDP:c:\program files\Skype\Phone\Skype.exe:Skype
"{78E253A1-9D57-444E-A70A-C4F5224CA354}"= TCP:c:\program files\Skype\Phone\Skype.exe:Skype
"{5B035115-8C0A-4254-93B5-2C76A8A54C99}"= c:\program files\Skype\Phone\Skype.exe:Skype
"TCP Query User{DDFA8548-919B-4287-B1A1-45D64F303744}c:\\program files\\flashget\\flashget.exe"= UDP:c:\program files\flashget\flashget.exe:FlashGet
"UDP Query User{C014534E-CA86-48FB-992B-97A3435B45A8}c:\\program files\\flashget\\flashget.exe"= TCP:c:\program files\flashget\flashget.exe:FlashGet
"{7FC72903-4866-476D-817C-A2469434AB08}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{DA9E8E99-6138-47AD-A29A-BE915D99F7EB}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"TCP Query User{7D50CC46-CE91-40B5-8F87-6BC835DC06EF}c:\\users\\kesava\\documents\\aok\\age2_x1.exe"= UDP:c:\users\kesava\documents\aok\age2_x1.exe:age2_x1.exe
"UDP Query User{A2B4A77D-5C49-42B5-8E6F-F4BF16991035}c:\\users\\kesava\\documents\\aok\\age2_x1.exe"= TCP:c:\users\kesava\documents\aok\age2_x1.exe:age2_x1.exe
"TCP Query User{A95D816C-0CE5-4834-AC8C-A39142039C8E}c:\\program files\\thq\\dawn of war\\w40k.exe"= UDP:c:\program files\thq\dawn of war\w40k.exe:W40K
"UDP Query User{12BC8613-54AF-4B59-B419-A61F89FF4E8E}c:\\program files\\thq\\dawn of war\\w40k.exe"= TCP:c:\program files\thq\dawn of war\w40k.exe:W40K
"TCP Query User{6C1206D1-CC12-47A1-A496-88FBE29FCFC0}C:1\\portableapps\\portableapps\\amsnportable\\app\\amsn\\bin\\wish.exe"= UDP:C:1\portableapps\portableapps\amsnportable\app\amsn\bin\wish.exe:wish.exe
"UDP Query User{FC74800C-A72F-494E-AD69-C6D68E90C4D6}C:1\\portableapps\\portableapps\\amsnportable\\app\\amsn\\bin\\wish.exe"= TCP:C:1\portableapps\portableapps\amsnportable\app\amsn\bin\wish.exe:wish.exe
"{D364A48C-44D5-4ED7-A0A6-789A8CB69E49}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{D2EE060F-8236-4ED2-B95A-56DEACD84BA3}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{A47F32AE-6DB2-4D47-A667-8C67A635C13F}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{4D97F59C-6FA5-41A7-8FD2-76C2BA86793E}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{82AF6471-2AE9-4215-9F61-851161022751}"= UDP:c:\program files\Ventrilo\Ventrilo.exe:Ventrilo.exe
"{EFEC1244-73BE-4B91-9EC6-7CA2C81246CB}"= TCP:c:\program files\Ventrilo\Ventrilo.exe:Ventrilo.exe
"TCP Query User{88CE41E2-7AD4-4096-AA1E-8472B010239B}c:\\program files\\xfire\\xfire.exe"= UDP:c:\program files\xfire\xfire.exe:Xfire
"UDP Query User{B378C470-E19A-4E12-8E81-8FD2453CE415}c:\\program files\\xfire\\xfire.exe"= TCP:c:\program files\xfire\xfire.exe:Xfire

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 32784]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [2008-07-09 20496]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\DRIVERS\klfltdev.sys [2008-03-13 26640]
S2 EsetNod32Fix;Nod32 AV;c:\windows\Regedit.exe /s c:\windows\Fix.reg [2008-08-28 134656]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2008-12-16 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-20 09:09]

2008-12-15 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\users\Kesava\AppData\Local\Google\Update\GoogleUpdate.exe [2008-11-20 21:21]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-16 13:28:38
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3844)
c:\program files\RocketDock\RocketDock.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\System32\drivers\XAudio.exe
c:\program files\Hewlett-Packard\Shared\hpqWmiEx.exe
c:\windows\System32\igfxsrvc.exe
c:\program files\Apoint2K\ApMsgFwd.exe
c:\program files\Apoint2K\ApntEx.exe
c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
c:\windows\System32\wercon.exe
c:\program files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\System32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-12-16 13:48:52 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-16 02:48:37

Pre-Run: 42,925,506,560 bytes free
Post-Run: 43,201,896,448 bytes free

330 --- E O F --- 2008-12-09 20:22:46
 
  • Open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: 
    File::
C:\Windows\system32\promo.exe
C:\Windows\system32\dgmlp.exe
c:\windows\System32\dgmlurl2.ico
c:\windows\System32\dgmlurl1.ico

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"promo"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"dgmlp"=-

Driver::
EsetNod32Fix
  • Save this as CFScript.txt and change the Save as type to All Files and place it on your desktop.


    CFScriptB-4.gif



  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply, along with a new HijackThis log. Please delete the offending icons on the Desktop and post an update on how your system is running.
CAUTION:
Do NOT mouse-click ComboFix's window while it is running. That may cause it to stall.
Also, please do NOT adjust your time format while ComboFix is running.
 
To change the clock settings back, go to Control Panel -> Clock, Language, and Region -> Change the date, time, or number format -> Customize this format -> Time and set the Time format to h:mm:ss tt.
 
ceewi1 said:
To change the clock settings back, go to Control Panel -> Clock, Language, and Region -> Change the date, time, or number format -> Customize this format -> Time and set the Time format to h:mm:ss tt.
Click to expand...

Thanks :) I just reset everything back to defaults.
Here is my final log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:57:18 PM, on 18/12/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Users\Kesava\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Kesava\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_au&c=81&bd=Presario&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_au&c=81&bd=Presario&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files\Windows Live\Messenger\wlchtc.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" update "Software\CyberLink\YouCam\1.0"
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Users\Kesava\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{11CF0D4A-08F1-4AFD-BBFD-CCDB4227C00B}: NameServer = 172.17.241.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{1AA8DBD6-5A30-424F-B238-D41730331642}: NameServer = 172.17.241.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{11CF0D4A-08F1-4AFD-BBFD-CCDB4227C00B}: NameServer = 172.17.241.2
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software GmbH - C:\Windows\System32\TuneUpDefragService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7366 bytes
 
Great, your log looks clean.

Please click on Start -> Run. Type ComboFix /u and click OK.
Note the space between the ComboFix and the /u
This will remove the backups that ComboFix has created as well as the program itself.

You appear to have removed Kaspersky since your first post, I strongly recommend you install it or another antivirus program as soon as possible.
 
You must log in or register to reply here.
Back
Top