Hijack this logfile

[mixy]

Hello,
Recently I clicked on a link that I thought was a friends site but it wasn't. Now I keep on getting ad pop up's and sometimes a little window pop's up saying it is deleting files off my computer. I used spybot s&d and also ad-aware but I still seem to be getting these pop-up's. My Norton Antivrus program detected it but didn't seem to be able to fix it either.
Thanks for any help.

Code:

Logfile of HijackThis v1.99.1
Scan saved at 2:06:25 PM, on 5/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.exe
c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\InterVideo\Common\bin\WinCinemaMgr.exe
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\rb.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\qumklajo.exe
C:\Program Files\Real\RealPlayer\realplay.exe
C:\WINDOWS\System32\WINSYS.EXE
C:\PROGRA~1\MYHPPA~1\Pavilion\XPHAPBF3EN\plugin\bin\PCHButton.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Paula.PLAYSTETION\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.msn.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: Shell=Explorer.exe penis.exe
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [WinCinemaMgr] "C:\Program Files\InterVideo\Common\bin\WinCinemaMgr.exe"
O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinDSNX] C:\WINDOWS\System32\winbktc.exe
O4 - HKLM\..\Run: [Autofont Loader] AUTOSCROLL.EXE
O4 - HKLM\..\Run: [RCM] C:\WINDOWS\RCM.exe
O4 - HKLM\..\Run: [KXFP] C:\WINDOWS\KXFP.exe
O4 - HKLM\..\Run: [RamBooster2] C:\WINDOWS\System32\rb.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [aduuqxxnvle] C:\WINDOWS\System32\qumklajo.exe
O4 - HKLM\..\Run: [conscorr] C:\WINDOWS\conscorr.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\realplay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Windows System] WINSYS.EXE
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\MYHPPA~1\Pavilion\XPHAPBF3EN\plugin\bin\PCHButton.exe
O4 - HKCU\..\Run: [boltzap] C:\Program Files\bolt\boltzap\BoltZap.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\RunOnce: [Windows System] WINSYS.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\Realdownload.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Arkadium - {A442DE97-7F7F-4265-A813-4E5D81C83EFE} - C:\Program Files\ArkadiumV2\arkadium.exe
O9 - Extra 'Tools' menuitem: Arkadium - {A442DE97-7F7F-4265-A813-4E5D81C83EFE} - C:\Program Files\ArkadiumV2\arkadium.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: v3cab - http://searchmiracle.com/cab/v3cab.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by14fd.bay14.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1108710817002
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {CDAA0214-3907-4C47-A3F6-014DA1517440} (ArkDownloader Class) - http://www.gamedek.com/download/arkDownloader.cab
O16 - DPF: {F04F4F32-6457-401A-8169-D2773DDFF930} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3uk.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F7627ECD-AECC-4B59-9877-3C9152711021}: NameServer = 203.109.250.50,203.109.250.61
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

[Ruby]

Hello Mixy - welcome to HijackThis.de

STEP 1
Please use the Feedback-Forum to tell us more about applications, entries, programs, processes, you run at your system, not known by us. Doing this, we will be able to edit our database. Thank you.

c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
C:\HP\KBD\KBD.EXE
c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
C:\Program Files\bolt\boltzap\BoltZap.exe
C:\Program Files\Real\RealDownload\Realdownload.exe
C:\Program Files\ArkadiumV2\arkadium.exe

h**p://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
h**p://www.gamedek.com/download/arkDownloader.cab

STEP 2
Print out this instructions of safe it as a textfile (*.txt) since we will ask you to work offline in safe mode.

STEP 3
Make sure windows is set to see the hidden files and folders.

STEP 4
System Restore must be turned off during the whole time we are working at your system.

STEP 5
Create a new folder C:\bad

STEP 6
-> work in safe mode

STEP 7
START -> run -> type: cmd [enter]
In the next window do that please:

move C:\WINDOWS\System32\qumklajo.exe C:\bad [enter]
move Explorer.exe penis.exe C:\bad [enter]
move C:\WINDOWS\dlmax.dll C:\bad [enter]
move C:\WINDOWS\system32\ps2.exe C:\bad [enter]
move C:\WINDOWS\System32\winbktc.exe C:\bad [enter]
move AUTOSCROLL.EXE C:\bad [enter]
move C:\WINDOWS\RCM.exe C:\bad [enter]
move C:\WINDOWS\KXFP.exe C:\bad [enter]
move WINSYS.EXE C:\bad [enter]
move "C:\Program Files\bolt\boltzap\BoltZap.exe" C:\bad [enter]
move "C:\Program Files\Real\RealDownload\Realdownload.exe" C:\bad [enter]
move "C:\Program Files\ArkadiumV2\arkadium.exe" C:\bad [enter]
move C:\WINDOWS\SYSTEM32\igfxsrvc.dll C:\bad [enter]

STEP 8
Reboot to normal mode.

STEP 9
Take the folder C:\bad with all its content to Upload malicious software.

You can also zip the files (zipgenius) to upload it. If that isn't possible too, please upload the files as it.

I would like to know which kind of malware you are running at your system. I can't really help you if I don't know which viruses are running at your system. May be there are worms, may be trojans, may be spyware.

STEP 10
Please contact our experts: Malwareupload-Forum. Take the URL from this thread there and make them know that you have done the Upload. Thank you. Our experts will find out which malware runs at your system, when you have done the upload.

Please don't do online-banking! Don't use file-sharing! Don't use mail-programs and messengers with this system. Behalve the malware on your system I don't know untill now, there are many worms and viruses running your system, which is compromised: Security Tips. I'll try to get your system clean. But that lasts a little while.........

[mixy]

Thanks for the help.

"STEP 1
Please use the Feedback-Forum to tell us more about applications, entries, programs, processes, you run at your system, not known by us. Doing this, we will be able to edit our database. Thank you.

c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
C:\HP\KBD\KBD.EXE
c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
C:\Program Files\bolt\boltzap\BoltZap.exe
C:\Program Files\Real\RealDownload\Realdownload.exe
C:\Program Files\ArkadiumV2\arkadium.exe

h**p://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
h**p://www.gamedek.com/download/arkDownloader.cab"

^^Before I go and post in the other forum, I'm not too great with computers. What do you mean by applications/entries/ etc.

Do you mean explain the programs that were listed in my logfile? As far as I can tell, those ones listed above are all safe programs that have never given me trouble.

[mixy]

Oh also, when it first became known to me, Norton Antivirus said it was a trojan.

I looked it up in the reports and it was something known as download.trojan.

I clicked on the link in the report to follow their method of removal which seems to be have worked but my computer just still doesn't feel the same.

[mixy]

((((Crossposted in malwareuploadforum))))

http://www.hijackthis.de/forum/showthread.php?t=2234

I could only find:

qumklajo.exe 38400 Bytes
Open for examination
igfxsrvc.dll 315392 Bytes
Open for examination
dlmax.dll 172032 Bytes
Open for examination


I think it was the dlmax.dll file that harmed my system as it was created around the same time my computer started having problems.

The rest of the files I couldn't move as they said either:

"not recognized as an internal or external command, operable prgram or batch file"

or

"the system cannot find the file specified"

Thanks for everybody's help

[Ruby]

Hello Mixy

Thanks for your answers. So let's go on. We are not finished by now. We did not yet begin......

Please print out this instructions of safe it as a textfile (*.txt) since we ask you to work offline in safe mode. Follow the STEPS.

STEP 1
Turn off System Restore during the whole time we are working at your system.

STEP 2
Download:

DELLATER.ZIP install it to your desktop!
Ad-Aware SE - install and update it.
Cleanup
IE Privacy Keeper 2.3
zipgenius (if you have no zip-tool)
escan: mwav.exe -
(MUST!) Unzip the 'mwav.exe' into a new to create directory 'c:\bases' (!).
Use 'kavupd.exe' to get the latest signatures (MUST!).
If you 'hear' that the signatures are more than 30 days old, stay trying.
You will get the actual signatures. Keep trying!

Unzip them each to its own folder (Windows Tutorial).

STEP 3
Run then DELLATER.exe on your system. Click ok.

STEP 4
Turn to safe mode. Disconnect to the net.

STEP 5
Close all windows including Internet Explorer.
Run Hijackthis, click scan, and put a checkmark next to each of these items.
Then click the Fix button:

F2 - REG:system.ini: Shell=Explorer.exe penis.exe
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [WinDSNX] C:\WINDOWS\System32\winbktc.exe
O4 - HKLM\..\Run: [RCM] C:\WINDOWS\RCM.exe
O4 - HKLM\..\Run: [KXFP] C:\WINDOWS\KXFP.exe
O4 - HKLM\..\Run: [RamBooster2] C:\WINDOWS\System32\rb.exe
O4 - HKLM\..\Run: [aduuqxxnvle] C:\WINDOWS\System32\qumklajo.exe
O4 - HKLM\..\Run: [conscorr] C:\WINDOWS\conscorr.exe
O4 - HKLM\..\Run: [Windows System] WINSYS.EXE
O4 - HKCU\..\RunOnce: [Windows System] WINSYS.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O16 - DPF: v3cab - h**p://searchmiracle.com/cab/v3cab.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - h**p://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup 1.0.0.8.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - h**p://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab O16 - DPF: {CDAA0214-3907-4C47-A3F6-014DA1517440} (ArkDownloader Class) - h**p://www.gamedek.com/download/arkDownloader.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

STEP 6
Reboot your system into normal mode.

STEP 7
# Open Windows Task Manager.
» press CTRL+SHIFT+ESC, then click the Processes tab.
# In the list of running programs, locate the malware file(s):
# Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
# Do the same for all detected malware files in the list of running processes.
# To check if the malware process has been terminated, close Task Manager, and then open it again.
# Close Task Manager:

penis.exe
ALCXMNTR.EXE
ps2.exe
winbktc.exe
RCM.exe
KXFP.exe
rb.exe
qumklajo.exe
conscorr.exe
WINSYS.EXE

STEP 8
Turn to safe mode

STEP 9
delete this files:

C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\rb.exe
C:\WINDOWS\System32\qumklajo.exe
C:\WINDOWS\System32\WINSYS.EXE
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\System32\winbktc.exe
C:\WINDOWS\RCM.exe
C:\WINDOWS\KXFP.exe
C:\WINDOWS\conscorr.exe
C:\WINDOWS\dlmax.dll

STEP 10
run Ad-Aware SE: Using Ad-Aware SE
Change all red X to green. Let the program scan all.
Delete the content of all folders when it's finished. Safe the Logfile.

STEP 11
Run escan

Close everything else, close all windows, all browsers, all programs.
Remember: you MUST work in safe mode!

Start a full scan (all files!) [Memory, StartUp-Folders, Drives, All Local Drives,
Registry and INI Files, System Folders, Services must be checkmarked] by
running 'mwavscan.com' (directory c:\bases): Click on 'Scan clean' of 'Scan'.
eScan can take some hours. When it's finished, 'view log' and safe it!

STEP 12
Reboot your system into normal mode.

STEP 13
Search the logfile 'mwav.log' in directory 'c:\bases'. Open the logfile with an
editor. Look for the files which are tagged as "virus" (of "infected").
Copy&paste all these files tagged as "virus" (of "infected") in a new document.

STEP 14
---> post every file escan tagged as "virus" (of "infected")
---> and the names of the virusses.

(It looks like this: File C:\WINDOWS\sssasasb32.exe infected by "Trojan-Downloader.Win32.Agent.ig" Virus. Action Taken)

---> Also post the result:

=>Total Number of Files Scanned:
=>Total Number of Virus(es) Found:
=>Total Number of Disinfected Files:
=>Total Number of Files Renamed:
=>Total Number of Deleted Files:
=>Total Number of Errors:
***** Scanning complete. *****

STEP 15
Run CleanUp: The Temp folders should now be cleaned.

STEP 16
Run IE Privacy Keeper 2.3: clean everything with this program
(IE temp folders, cookies, system and registry)

STEP 17
Post the Logfile of Ad-Aware SE.
Post all infected files of escan, the number of scanned files and found viruses.
Post another new HijackThis Logfile.