Infostealer.gamepass

towman177 · 2007/05/22

hello. My Norton Antivirus has detected a virus and i cannot get rid of it. I am not at all computer literate. It took me over an hour to figure out how to post this. If anyone can Please help me i would greatly appreciate it. Thank you.

TeMerc · 2007/05/23

Hello and welcome to WindowsBBS Forums.

Here is how we like to begin our analysis of your pc:

For starters, if you do not have them yet, please DL and run AdAware & Spybot Search & Destroy. AdAware and Spybot Search & Destroy are 2 of the most trusted apps in the security area. They are both free, compliment each other nicely, and do not use a lot of resources. They can be found here:

Spybot Search & Destroy v.1.4
AdAware SE Free v1.06r

With AdAware and Spybot: DL, follow the install instructions, check for updates, then scan, repair/remove/quarantine anything found. Reboot before next scan with whichever app is next. The reason for running these apps, is to clean up some of the other 'crapware' on your pc, which, in turn, will make deciphering your HJT log, easier.

Then we use HiJackThis v1.99.1
Please download HijackThis! SetUp from here. Save the file to your desktop.

Double-click the HijackThis! SetUp icon to begin the installation. Follow the prompts for the default install location of:'C:\Program Files\HijackThis'. Tick the 'Create a desktop' button when the option appears. Select next, then allow HijackThis! to start.

Then press the [Scan] button. You will notice the [Scan] button will turn into a [Save Log] button. Click the [Save Log] button and notepad will open up with the contents of the scan. Right-click in the saved log, and select 'copy'. Then proceed to your original thread, unless otherwise instructed and click the '[Reply]' button and paste the saved contents to be reviewed. Do not make any modifications to the log or perform any 'fixes' until told to do so.

**Also please let me know where Norton says the virus is located, meaning the file path.

towman177 · 2007/05/23

I believe i have done as instructed. Norton has given me a file path of C:windows\system32\mppds.dll

here is the log. i hope i have done it right.

Logfile of HijackThis v1.99.1
Scan saved at 9:09:10 PM, on 5/23/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [mppds] C:\WINDOWS\mppds.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

TeMerc · 2007/05/24

Ok, looks like you got the WOW trojan on your system. Of course, that's not a big surprise, with no service packs, I figured there would be far more malware installed.

Lets attack it and run some other scans.

Download the Killbox from here and save it to the desktop.

Double-click the KillBox icon on your desktop to open it

Select "Delete on Reboot "

Then select "All files ".

Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\mppds.exe

Return to Killbox

Go to the File menu, and choose "Paste from Clipboard ".

Click the red-and-white [Delete File] button.

Click "Yes" at the Delete on Reboot prompt. Click "No" at the 'Pending Operations' prompt.

Reboot if required.

Upon rebooting, Open Hijackthis, select the [Do a system scan only] button and look over the following entries I have listed, check the boxes [] next to them and press the [Fix Checked] button. When you are doing this, make sure you have No IE windows, nor any other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O4 - HKLM\..\Run: [mppds] C:\WINDOWS\mppds.exe

Then Then download ComboScan to your desktop.

Close all applications and windows.

Double-click on comboscan.exe to run it, and follow the prompts.

When the scan is complete, a text file will open - ComboScan.txt

Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of ComboScan.txt in your thread back into this thread for me to view.

A folder, C:\ComboScan, will also open. In it will be another text file, Supplementary.txt.
Please attach Supplementary.txt to your post.

Note: Some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

At this point reboot the system, and post back another HJT log file along with the other two logs requested.

towman177 · 2007/05/24

ok, here is the first of the new logs. (the fresh HJT Log)

Logfile of HijackThis v1.99.1
Scan saved at 9:42:20 PM, on 5/24/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
C:\Program Files\Netropa\OSD.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

towman177 · 2007/05/24

i can't access combo scan from your link, it says page cannot be found.
i have found other links to combo scan thru google search but i get the same results from them all. I guess i will keep trying.

TeMerc · 2007/05/25

towman177 said:

i can't access combo scan from your link, it says page cannot be found.
i have found other links to combo scan thru google search but i get the same results from them all. I guess i will keep trying.
Click to expand...

Thanks for alerting me to that, here is an alternate link:
http://www.geekstogo.com/forum/inde...oads&req=download&code=confirm_download&id=19

towman177 · 2007/05/26

ok here is the main txt from the scan

Deckard's System Scanner v20070426.43
Run by Robert on 2007-05-26 at 20:46:50
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as Robert.exe) ----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 8:46:52 PM, on 5/26/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
C:\Program Files\Netropa\OSD.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Robert\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\Robert.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

-- Files created between 2007-04-26 and 2007-05-26 -----------------------------

2100-02-23 14:35:34 768 --a------ C:\WINDOWS\x73_lut.dat
2007-05-26 14:52:55 19520 --a------ C:\WINDOWS\System32\6l12CKRx.exe
2007-05-24 21:03:11 0 d-------- C:\!KillBox
2007-05-23 19:08:21 0 d-------- C:\Documents and Settings\Robert\Application Data\Lavasoft
2007-05-23 19:08:09 0 d-------- C:\Program Files\Lavasoft
2007-05-23 19:03:57 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-05-22 15:01:28 11776 --a------ C:\WINDOWS\System32\mppds.dll
2007-04-27 18:59:42 0 d-------- C:\Program Files\Common Files\LightScribe
2007-04-27 18:54:56 0 d-------- C:\Program Files\Common Files\Nero
2007-04-27 18:54:17 997888 --a------ C:\WINDOWS\System32\wmvdmoe2.dll <Not Verified; Microsoft Corporation; Microsoft® Windows Media Services>
2007-04-27 18:54:17 892416 --a------ C:\WINDOWS\System32\wmspdmoe.dll <Not Verified; Microsoft Corporation; Microsoft® Windows Media Services>
2007-04-27 18:54:17 1111040 --a------ C:\WINDOWS\System32\wmsdmoe2.dll <Not Verified; Microsoft Corporation; Microsoft® Windows Media Services>
2007-04-27 18:52:21 0 d-------- C:\Documents and Settings\All Users\Application Data\Ahead
2007-04-27 18:52:04 0 d-------- C:\Program Files\Ahead
2007-04-27 18:50:57 0 d-------- C:\WINDOWS\RegisteredPackages
2007-04-27 18:49:19 1703936 --a------ C:\WINDOWS\System32\d3d9.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-04-27 18:49:18 1769472 --a------ C:\WINDOWS\System32\dxdiagn.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>

-- Find3M Report ---------------------------------------------------------------

2007-05-21 22:33:15 0 d-------- C:\Program Files\Norton AntiVirus
2007-05-07 23:03:41 0 d-------- C:\Program Files\Yahoo!
2007-04-20 00:21:44 0 d-------- C:\Program Files\LexmarkX73
2007-04-15 18:53:45 0 dr-h----- C:\Documents and Settings\Robert\Application Data\yahoo!
2007-04-15 16:38:02 0 d-------- C:\Program Files\Canon
2007-04-15 15:14:46 26 --a------ C:\WINDOWS\winstart.bat
2007-04-15 15:14:46 122 --a------ C:\WINDOWS\tmpdelis.bat
2007-04-15 15:14:46 123 --a------ C:\WINDOWS\tmpcpyis.bat
2007-04-15 15:13:44 0 d-------- C:\Program Files\Common Files\Intel Shared
2007-04-15 15:11:32 2272 --a------ C:\WINDOWS\System32\w95inf16.dll <Not Verified; Microsoft Corporation; Microsoft® Plus! for Windows® 95>
2007-04-15 15:11:31 4608 --a------ C:\WINDOWS\System32\w95inf32.dll <Not Verified; Microsoft Corporation; Microsoft® Plus! for Windows® 95>
2007-04-15 15:11:29 0 d-------- C:\Program Files\Intel
2007-04-15 15:07:23 0 d-------- C:\Program Files\MGI
2007-04-15 14:55:41 0 d-------- C:\Documents and Settings\Robert\Application Data\Help
2007-04-15 14:53:42 0 d--h----- C:\Program Files\WindowsUpdate
2007-04-15 14:51:46 0 d-------- C:\Program Files\Lexmark
2007-04-15 14:12:25 0 d-------- C:\Documents and Settings\Robert\Application Data\Macromedia
2007-04-13 00:02:08 0 d-------- C:\Program Files\PhoneTools
2007-04-13 00:01:35 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-04-12 23:56:49 0 d-------- C:\Program Files\Symantec
2007-04-12 23:56:45 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-04-12 23:56:33 0 d-------- C:\Documents and Settings\Robert\Application Data\Symantec
2007-04-12 23:54:25 0 d-------- C:\Program Files\Dell
2007-04-12 23:23:44 0 d-------- C:\Program Files\Microsoft Hardware
2007-04-12 23:22:09 0 d-------- C:\Program Files\Netropa
2007-04-12 23:21:22 0 d-------- C:\Program Files\Analog Devices
2007-04-12 23:16:48 0 d-------- C:\Program Files\Windows NT
2007-04-12 22:52:47 0 d-------- C:\Program Files\Online Services
2007-04-12 22:49:39 0 d-------- C:\Program Files\Common Files\InstallShield
2007-04-12 22:44:56 0 d-------- C:\Documents and Settings\Robert\Application Data\Identities
2007-04-12 22:39:00 0 d-------- C:\Program Files\microsoft frontpage
2007-04-12 22:38:42 0 -rahs---- C:\MSDOS.SYS
2007-04-12 22:38:42 0 -rahs---- C:\IO.SYS
2007-04-12 22:38:42 0 --a------ C:\CONFIG.SYS
2007-04-12 22:38:42 0 --a------ C:\AUTOEXEC.BAT
2007-04-12 22:36:08 0 d-------- C:\Program Files\Movie Maker
2007-04-12 22:35:30 0 d-------- C:\Program Files\Common Files\MSSoap
2007-04-12 22:35:19 21640 --a------ C:\WINDOWS\System32\emptyregdb.dat
2007-04-12 22:33:55 0 d-------- C:\Program Files\MSN Gaming Zone
2007-04-12 15:25:40 0 d-------- C:\Program Files\Common Files\ODBC
2007-04-12 15:25:37 0 d-------- C:\Program Files\Common Files\SpeechEngines
2007-04-12 15:25:10 62 --ahs---- C:\Documents and Settings\Robert\Application Data\desktop.ini

-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F} C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} C:\Program Files\Yahoo!\Common\yiesrvc.dll
{BDF3E430-B101-42AD-A544-FADC6B084872} C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"DellTouch "= "C:\\WINDOWS\\DELLMMKB.EXE "
"POINTER "= "point32.exe "
"NAV Agent "= "C:\\PROGRA~1\\NORTON~1\\navapw32.exe "
"Lexmark X73 Button Monitor "= "C:\\PROGRA~1\\LEXMAR~1\\ACMonitor_X73.exe "
"Lexmark X73 Button Manager "= "C:\\PROGRA~1\\LEXMAR~1\\AcBtnMgr_X73.exe "
"PrinTray "= "C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\printray.exe "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS "= "\ "C:\\Program Files\\Messenger\\msmsgs.exe\" /background "
"Yahoo! Pager "= "\ "C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet "

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

-- End of Deckard's System Scanner: finished at 2007-05-26 at 20:47:23 ---------

Here is the extra text

Deckard's System Scanner v20070426.43
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600)
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) 4 CPU 1.50GHz
Percentage of Memory in Use: 69%
Physical Memory (total/avail): 255.01 MiB / 77.8 MiB
Pagefile Memory (total/avail): 618.2 MiB / 453.93 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1969.73 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 38.28 GiB total, 34.11 GiB free.
D: is CDROM (No Media)

-- Security Center -------------------------------------------------------------

AUState says computer is in an unknown state.
Windows Internal Firewall is enabled.

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Robert\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=ROBERT-4K7CO2TY
ComSpec=C:\WINDOWS\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Robert
LOGONSERVER=\\ROBERT-4K7CO2TY
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Internet Explorer;
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 1 Stepping 2, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0102
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Robert\LOCALS~1\Temp
TMP=C:\DOCUME~1\Robert\LOCALS~1\Temp
USERDOMAIN=ROBERT-4K7CO2TY
USERNAME=Robert
USERPROFILE=C:\Documents and Settings\Robert
windir=C:\WINDOWS

-- User Profiles ---------------------------------------------------------------

Robert (admin)

-- Add/Remove Programs ---------------------------------------------------------

--> C:\PROGRA~1\Intel\CREATE~1\VIDEOP~1\setup.exe -fC:\PROGRA~1\Intel\CREATE~1\VIDEOP~1\uninst.ins
--> C:\WINDOWS\IsUninst.exe -f "C:\Program Files\Intel\Createshare\program\Reality Fusion VarietyPack\Uninst.isu "
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\USBUnins.isu
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E7E518B2-B174-11D3-9D4E-0060B0A4823E}\setup.exe"
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\System32\Macromed\Flash\UninstFl.exe -q
ATI Display Driver --> rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_classISPLAY -clean
Backup Dell-Installed Programs --> MsiExec.exe /X{2A2766A4-6AE4-11D4-AC8E-52544C1966EE}
Canon PhotoRecord --> C:\WINDOWS\IsUninst.exe -f "C:\Program Files\Canon\PhotoRecord\Uninst.isu" -c "C:\Program Files\Canon\PhotoRecord\Program\uninstdll.dll "
Canon Utilities PhotoStitch 3.1 --> C:\WINDOWS\IsUninst.exe -f "C:\Program Files\Canon\PhotoStitch\Uninst.isu "
Canon Utilities ZoomBrowser EX --> C:\WINDOWS\IsUninst.exe -f "C:\Program Files\Canon\ZoomBrowser EX\Uninst.isu" -c "C:\Program Files\Canon\ZoomBrowser EX\Program\uninstallutilities.dll "
Dell ResourceCD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
DellTouch --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{706D5382-7381-4680-9DD0-161832578252}\setup.exe"
Hijackthis 1.99.1 --> "C:\Program Files\Hijackthis\unins000.exe "
HijackThis 1.99.1 --> C:\Program Files\Hijackthis\HijackThis.exe /uninstall
Intel A/V Codecs V2.0 --> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\System32\CDUninst.isu
Intel(R) Create & Share(TM) Software --> C:\Program Files\Intel\Createshare\program\uninstall\setup.exe
Lexmark X73 --> C:\Program Files\LexmarkX73\RemoveX73.exe
LiveReg (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE
LiveUpdate 1.6 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
MGI PhotoSuite 8.1 (Remove Only) --> C:\WINDOWS\IsUninst.exe -f "C:\Program Files\MGI\PhotoSuite 8.1\Uninst.isu" -c "C:\Program Files\MGI\PhotoSuite 8.1\CustomUninstall.dll "
Norton AntiVirus 2002 --> MsiExec.exe /I{3075C5C3-0807-4924-AF8F-FF27052C12AE}
PhoneTools --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E3436EE2-D5CB-4249-840B-3A0140CC34C1}\setup.exe" ControlPanel
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe"
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe "
Yahoo! Browser Services --> C:\PROGRA~1\Yahoo!\Common\unyext.exe
Yahoo! Install Manager --> C:\WINDOWS\System32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Internet Mail --> C:\WINDOWS\System32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG

-- End of Deckard's System Scanner: finished at 2007-05-26 at 20:26:57 ---------

TeMerc · 2007/05/27

Download the Killbox from here and save it to the desktop.

Double-click the KillBox icon on your desktop to open it

Select "Delete on Reboot "

Then select "All files ".

Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\x73_lut.dat
C:\WINDOWS\System32\6l12CKRx.exe
C:\WINDOWS\System32\mppds.dll
C:\Program Files\WindowsUpdate

Return to Killbox

Go to the File menu, and choose "Paste from Clipboard ".

Click the red-and-white [Delete File] button.

Click "Yes" at the Delete on Reboot prompt. Click "No" at the 'Pending Operations' prompt.

Allow a reboot, run ComboScan again please. Post log and advise of any continuing or new problems.

towman177 · 2007/05/27

here is the new log. Norton still had the virus warning upon reboot.

Deckard's System Scanner v20070426.43
Run by Robert on 2007-05-27 at 00:58:50
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as Robert.exe) ----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 12:59:01 AM, on 5/27/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Robert\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\Robert.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

-- Files created between 2007-04-27 and 2007-05-27 -----------------------------

2100-02-23 14:35:34 768 -----n--- C:\WINDOWS\x73_lut.dat
2007-05-24 21:03:11 0 d-------- C:\!KillBox
2007-05-23 19:08:21 0 d-------- C:\Documents and Settings\Robert\Application Data\Lavasoft
2007-05-23 19:08:09 0 d-------- C:\Program Files\Lavasoft
2007-05-23 19:03:57 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-05-22 15:01:28 11776 -----n--- C:\WINDOWS\System32\mppds.dll
2007-04-27 18:59:42 0 d-------- C:\Program Files\Common Files\LightScribe
2007-04-27 18:54:56 0 d-------- C:\Program Files\Common Files\Nero
2007-04-27 18:54:17 997888 --a------ C:\WINDOWS\System32\wmvdmoe2.dll <Not Verified; Microsoft Corporation; Microsoft® Windows Media Services>
2007-04-27 18:54:17 892416 --a------ C:\WINDOWS\System32\wmspdmoe.dll <Not Verified; Microsoft Corporation; Microsoft® Windows Media Services>
2007-04-27 18:54:17 1111040 --a------ C:\WINDOWS\System32\wmsdmoe2.dll <Not Verified; Microsoft Corporation; Microsoft® Windows Media Services>
2007-04-27 18:52:21 0 d-------- C:\Documents and Settings\All Users\Application Data\Ahead
2007-04-27 18:52:04 0 d-------- C:\Program Files\Ahead
2007-04-27 18:50:57 0 d-------- C:\WINDOWS\RegisteredPackages
2007-04-27 18:49:19 1703936 --a------ C:\WINDOWS\System32\d3d9.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-04-27 18:49:18 1769472 --a------ C:\WINDOWS\System32\dxdiagn.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>

-- Find3M Report ---------------------------------------------------------------

2007-05-21 22:33:15 0 d-------- C:\Program Files\Norton AntiVirus
2007-05-07 23:03:41 0 d-------- C:\Program Files\Yahoo!
2007-04-20 00:21:44 0 d-------- C:\Program Files\LexmarkX73
2007-04-15 18:53:45 0 dr-h----- C:\Documents and Settings\Robert\Application Data\yahoo!
2007-04-15 16:38:02 0 d-------- C:\Program Files\Canon
2007-04-15 15:14:46 26 --a------ C:\WINDOWS\winstart.bat
2007-04-15 15:14:46 122 --a------ C:\WINDOWS\tmpdelis.bat
2007-04-15 15:14:46 123 --a------ C:\WINDOWS\tmpcpyis.bat
2007-04-15 15:13:44 0 d-------- C:\Program Files\Common Files\Intel Shared
2007-04-15 15:11:32 2272 --a------ C:\WINDOWS\System32\w95inf16.dll <Not Verified; Microsoft Corporation; Microsoft® Plus! for Windows® 95>
2007-04-15 15:11:31 4608 --a------ C:\WINDOWS\System32\w95inf32.dll <Not Verified; Microsoft Corporation; Microsoft® Plus! for Windows® 95>
2007-04-15 15:11:29 0 d-------- C:\Program Files\Intel
2007-04-15 15:07:23 0 d-------- C:\Program Files\MGI
2007-04-15 14:55:41 0 d-------- C:\Documents and Settings\Robert\Application Data\Help
2007-04-15 14:53:42 0 d-------- C:\Program Files\WindowsUpdate
2007-04-15 14:51:46 0 d-------- C:\Program Files\Lexmark
2007-04-15 14:12:25 0 d-------- C:\Documents and Settings\Robert\Application Data\Macromedia
2007-04-13 00:02:08 0 d-------- C:\Program Files\PhoneTools
2007-04-13 00:01:35 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-04-12 23:56:49 0 d-------- C:\Program Files\Symantec
2007-04-12 23:56:45 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-04-12 23:56:33 0 d-------- C:\Documents and Settings\Robert\Application Data\Symantec
2007-04-12 23:54:25 0 d-------- C:\Program Files\Dell
2007-04-12 23:23:44 0 d-------- C:\Program Files\Microsoft Hardware
2007-04-12 23:22:09 0 d-------- C:\Program Files\Netropa
2007-04-12 23:21:22 0 d-------- C:\Program Files\Analog Devices
2007-04-12 23:16:48 0 d-------- C:\Program Files\Windows NT
2007-04-12 22:52:47 0 d-------- C:\Program Files\Online Services
2007-04-12 22:49:39 0 d-------- C:\Program Files\Common Files\InstallShield
2007-04-12 22:44:56 0 d-------- C:\Documents and Settings\Robert\Application Data\Identities
2007-04-12 22:39:00 0 d-------- C:\Program Files\microsoft frontpage
2007-04-12 22:38:42 0 -rahs---- C:\MSDOS.SYS
2007-04-12 22:38:42 0 -rahs---- C:\IO.SYS
2007-04-12 22:38:42 0 --a------ C:\CONFIG.SYS
2007-04-12 22:38:42 0 --a------ C:\AUTOEXEC.BAT
2007-04-12 22:36:08 0 d-------- C:\Program Files\Movie Maker
2007-04-12 22:35:30 0 d-------- C:\Program Files\Common Files\MSSoap
2007-04-12 22:35:19 21640 --a------ C:\WINDOWS\System32\emptyregdb.dat
2007-04-12 22:33:55 0 d-------- C:\Program Files\MSN Gaming Zone
2007-04-12 15:25:40 0 d-------- C:\Program Files\Common Files\ODBC
2007-04-12 15:25:37 0 d-------- C:\Program Files\Common Files\SpeechEngines
2007-04-12 15:25:10 62 --ahs---- C:\Documents and Settings\Robert\Application Data\desktop.ini

-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F} C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} C:\Program Files\Yahoo!\Common\yiesrvc.dll
{BDF3E430-B101-42AD-A544-FADC6B084872} C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"DellTouch "= "C:\\WINDOWS\\DELLMMKB.EXE "
"POINTER "= "point32.exe "
"NAV Agent "= "C:\\PROGRA~1\\NORTON~1\\navapw32.exe "
"Lexmark X73 Button Monitor "= "C:\\PROGRA~1\\LEXMAR~1\\ACMonitor_X73.exe "
"Lexmark X73 Button Manager "= "C:\\PROGRA~1\\LEXMAR~1\\AcBtnMgr_X73.exe "
"PrinTray "= "C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\printray.exe "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS "= "\ "C:\\Program Files\\Messenger\\msmsgs.exe\" /background "
"Yahoo! Pager "= "\ "C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet "

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

-- End of Deckard's System Scanner: finished at 2007-05-27 at 00:59:41 ---------

TeMerc · 2007/05/27

Seems that one file is being rather stubborn.

Lets try another appraoch that has worked for me in the past on many such stubborn files.

DL Unlocker.

Once installed, reboot into safe mode this way:
Turn on the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.

Also, enable the 'Show Hidden Folders' option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Locate the files:
C:\WINDOWS\System32\mppds.dll
C:\WINDOWS\x73_lut.dat

Right-click and select 'Unlocker'
In the window that appears select 'Unlock All'
In the drop down menu select 'delete'.

You may get a message saying you need to reboot, reboot and run ComboScan again to see if the files are still there.

towman177 · 2007/05/27

here are the results of the new combo scan

Deckard's System Scanner v20070426.43
Run by Robert on 2007-05-27 at 17:21:40
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as Robert.exe) ----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 5:21:54 PM, on 5/27/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Netropa\OSD.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Robert\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\Robert.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

-- Files created between 2007-04-27 and 2007-05-27 -----------------------------

2007-05-27 17:17:24 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-05-27 17:17:24 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-05-27 17:17:24 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-05-27 17:17:24 0 d--h----- C:\Documents and Settings\Administrator\Recent
2007-05-27 17:17:24 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-05-27 17:17:24 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-05-27 17:17:24 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-05-27 17:17:24 0 d-------- C:\Documents and Settings\Administrator\My Documents
2007-05-27 17:17:24 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-05-27 17:17:24 0 d-------- C:\Documents and Settings\Administrator\Favorites
2007-05-27 17:17:24 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-05-27 17:17:24 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2007-05-27 17:17:24 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-05-27 17:17:24 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-05-24 21:03:11 0 d-------- C:\!KillBox
2007-05-23 19:08:21 0 d-------- C:\Documents and Settings\Robert\Application Data\Lavasoft
2007-05-23 19:08:09 0 d-------- C:\Program Files\Lavasoft
2007-05-23 19:03:57 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-04-27 18:59:42 0 d-------- C:\Program Files\Common Files\LightScribe
2007-04-27 18:54:56 0 d-------- C:\Program Files\Common Files\Nero
2007-04-27 18:54:17 997888 --a------ C:\WINDOWS\System32\wmvdmoe2.dll <Not Verified; Microsoft Corporation; Microsoft® Windows Media Services>
2007-04-27 18:54:17 892416 --a------ C:\WINDOWS\System32\wmspdmoe.dll <Not Verified; Microsoft Corporation; Microsoft® Windows Media Services>
2007-04-27 18:54:17 1111040 --a------ C:\WINDOWS\System32\wmsdmoe2.dll <Not Verified; Microsoft Corporation; Microsoft® Windows Media Services>
2007-04-27 18:52:21 0 d-------- C:\Documents and Settings\All Users\Application Data\Ahead
2007-04-27 18:52:04 0 d-------- C:\Program Files\Ahead
2007-04-27 18:50:57 0 d-------- C:\WINDOWS\RegisteredPackages
2007-04-27 18:49:19 1703936 --a------ C:\WINDOWS\System32\d3d9.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-04-27 18:49:18 1769472 --a------ C:\WINDOWS\System32\dxdiagn.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>

-- Find3M Report ---------------------------------------------------------------

2007-05-27 13:08:39 0 d-------- C:\Program Files\LexmarkX73
2007-05-21 22:33:15 0 d-------- C:\Program Files\Norton AntiVirus
2007-05-07 23:03:41 0 d-------- C:\Program Files\Yahoo!
2007-04-15 18:53:45 0 dr-h----- C:\Documents and Settings\Robert\Application Data\yahoo!
2007-04-15 16:38:02 0 d-------- C:\Program Files\Canon
2007-04-15 15:14:46 26 --a------ C:\WINDOWS\winstart.bat
2007-04-15 15:14:46 122 --a------ C:\WINDOWS\tmpdelis.bat
2007-04-15 15:14:46 123 --a------ C:\WINDOWS\tmpcpyis.bat
2007-04-15 15:13:44 0 d-------- C:\Program Files\Common Files\Intel Shared
2007-04-15 15:11:32 2272 --a------ C:\WINDOWS\System32\w95inf16.dll <Not Verified; Microsoft Corporation; Microsoft® Plus! for Windows® 95>
2007-04-15 15:11:31 4608 --a------ C:\WINDOWS\System32\w95inf32.dll <Not Verified; Microsoft Corporation; Microsoft® Plus! for Windows® 95>
2007-04-15 15:11:29 0 d-------- C:\Program Files\Intel
2007-04-15 15:07:23 0 d-------- C:\Program Files\MGI
2007-04-15 14:55:41 0 d-------- C:\Documents and Settings\Robert\Application Data\Help
2007-04-15 14:53:42 0 d-------- C:\Program Files\WindowsUpdate
2007-04-15 14:51:46 0 d-------- C:\Program Files\Lexmark
2007-04-15 14:12:25 0 d-------- C:\Documents and Settings\Robert\Application Data\Macromedia
2007-04-13 00:02:08 0 d-------- C:\Program Files\PhoneTools
2007-04-13 00:01:35 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-04-12 23:56:49 0 d-------- C:\Program Files\Symantec
2007-04-12 23:56:45 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-04-12 23:56:33 0 d-------- C:\Documents and Settings\Robert\Application Data\Symantec
2007-04-12 23:54:25 0 d-------- C:\Program Files\Dell
2007-04-12 23:23:44 0 d-------- C:\Program Files\Microsoft Hardware
2007-04-12 23:22:09 0 d-------- C:\Program Files\Netropa
2007-04-12 23:21:22 0 d-------- C:\Program Files\Analog Devices
2007-04-12 23:16:48 0 d-------- C:\Program Files\Windows NT
2007-04-12 22:52:47 0 d-------- C:\Program Files\Online Services
2007-04-12 22:49:39 0 d-------- C:\Program Files\Common Files\InstallShield
2007-04-12 22:44:56 0 d-------- C:\Documents and Settings\Robert\Application Data\Identities
2007-04-12 22:39:00 0 d-------- C:\Program Files\microsoft frontpage
2007-04-12 22:38:42 0 -rahs---- C:\MSDOS.SYS
2007-04-12 22:38:42 0 -rahs---- C:\IO.SYS
2007-04-12 22:38:42 0 --a------ C:\CONFIG.SYS
2007-04-12 22:38:42 0 --a------ C:\AUTOEXEC.BAT
2007-04-12 22:36:08 0 d-------- C:\Program Files\Movie Maker
2007-04-12 22:35:30 0 d-------- C:\Program Files\Common Files\MSSoap
2007-04-12 22:35:19 21640 --a------ C:\WINDOWS\System32\emptyregdb.dat
2007-04-12 22:33:55 0 d-------- C:\Program Files\MSN Gaming Zone
2007-04-12 15:25:40 0 d-------- C:\Program Files\Common Files\ODBC
2007-04-12 15:25:37 0 d-------- C:\Program Files\Common Files\SpeechEngines
2007-04-12 15:25:10 62 --ahs---- C:\Documents and Settings\Robert\Application Data\desktop.ini

-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F} C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} C:\Program Files\Yahoo!\Common\yiesrvc.dll
{BDF3E430-B101-42AD-A544-FADC6B084872} C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"DellTouch "= "C:\\WINDOWS\\DELLMMKB.EXE "
"POINTER "= "point32.exe "
"NAV Agent "= "C:\\PROGRA~1\\NORTON~1\\navapw32.exe "
"Lexmark X73 Button Monitor "= "C:\\PROGRA~1\\LEXMAR~1\\ACMonitor_X73.exe "
"Lexmark X73 Button Manager "= "C:\\PROGRA~1\\LEXMAR~1\\AcBtnMgr_X73.exe "
"PrinTray "= "C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\printray.exe "
"UnlockerAssistant "= "\ "C:\\Program Files\\Unlocker\\UnlockerAssistant.exe\" "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS "= "\ "C:\\Program Files\\Messenger\\msmsgs.exe\" /background "
"Yahoo! Pager "= "\ "C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet "

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

-- End of Deckard's System Scanner: finished at 2007-05-27 at 17:22:36 ---------

towman177 · 2007/05/27

everything seems to be good so far. thank you very much.
i will be sure to tell everyone who will listen how helpful you.

TeMerc · 2007/05/28

Glad to hear things are running smoothly. As this infection can be stubborn and a bit evasive, I'll leave this thread open for now. Please pop in to confirm things are still running well in a day or two.

Log in or Sign up

Infostealer.gamepass

towman177 Inactive Thread Starter

TeMerc Inactive Alumni

towman177 Inactive Thread Starter

TeMerc Inactive Alumni

towman177 Inactive Thread Starter

towman177 Inactive Thread Starter

TeMerc Inactive Alumni

towman177 Inactive Thread Starter

TeMerc Inactive Alumni

towman177 Inactive Thread Starter

TeMerc Inactive Alumni

towman177 Inactive Thread Starter

towman177 Inactive Thread Starter

TeMerc Inactive Alumni

Share This Page

Log in or Sign up

Infostealer.gamepass

towman177 Inactive Thread Starter

TeMerc Inactive Alumni

towman177 Inactive Thread Starter

TeMerc Inactive Alumni

towman177 Inactive Thread Starter

towman177 Inactive Thread Starter

TeMerc Inactive Alumni

towman177 Inactive Thread Starter

TeMerc Inactive Alumni

towman177 Inactive Thread Starter

TeMerc Inactive Alumni

towman177 Inactive Thread Starter

towman177 Inactive Thread Starter

TeMerc Inactive Alumni

Share This Page

Useful Searches