Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Smitfraud...please, please help!

Started by WatchNut , Nov 27 2006 09:35 PM

  • This topic is locked This topic is locked

#1
WatchNut
Posted 27 November 2006 - 09:35 PM

WatchNut

    Member

  • Member
  • PipPip
  • 38 posts
All:

It appears I've been infected with a SMITFRAUD variant, and I cannot for the life of me get it off my machine. I've tried disinfecting with PC-Cillin, Ad-Aware and Spybot S&D. I've also tried S!ri's Smitfraud fix.

No matter what happens, Spubot S&D continues to pick up the infection. S&D keeps picking up the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR item in my registry, and when I try to delete it, the next time I go into Safe Mode, the darn thing is back.

This is my HijackThis log (run in Safe Mode. I really hope you can help me.

Many thanks!!

Michael
-----------------
Logfile of HijackThis v1.99.1
Scan saved at 10:16:29 PM, on 11/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\regedit.exe
D:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\HiJ\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DellHelp] C:\Dell\DellHelp\DellHelp.exe /c
O4 - HKLM\..\Run: [SysMetrix] D:\Program Files\SysMetrix\SysMetrix.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Spamihilator] "D:\Program Files\Spamihilator\spamihilator.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Stardock ObjectBar.lnk = D:\Program Files\Object Desktop\ObjectBar\ObjectBar.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by22fd.bay22....es/MsnPUpld.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
  • 0

Advertisements

#2
Crustyoldbloke
Posted 28 November 2006 - 04:17 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello and welcome to Geeks To Go

Some malware has the ability to hide when interrogated by HijackThis; I believe this may be true in your case. Please right click on hijackthis.exe and rename it to crusty.exe

Now please rescan with the newly named file and post the log into this thread by using the ADD REPLY button on the bottom right of this post, and I'll have a fresh look.

From now on, you will have to use crusty.exe to produce a HJT log.

Please ensure that you post logs created in normal mode only.
  • 0

#3
WatchNut
Posted 28 November 2006 - 08:13 AM

WatchNut

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
Thanks Phil. Here's the "Crusty" log, (not from Safe Mode).

Regards,

Michael

-----------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 9:10:07 AM, on 11/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
D:\Program Files\SysMetrix\SysMetrix.exe
D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
D:\Program Files\Spamihilator\spamihilator.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
D:\Program Files\Object Desktop\ObjectBar\ObjectBar.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
D:\PROGRA~1\Qualcomm\Eudora\Eudora.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\Mozilla Firefox\firefox.exe
E:\Internet\HiJ_This\Crusty.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {099D0986-C204-F967-3343-00A64FA96FB9} - C:\WINDOWS\system32\vorenbj.dll
O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - C:\WINDOWS\system32\atutxehh.dll
O2 - BHO: (no name) - {3CAE0B22-FFB7-417E-8CFF-4465CF632F70} - C:\WINDOWS\system32\opnommm.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {B68639A6-3CB3-4237-BBF6-DF3243DA3B96} - C:\WINDOWS\system32\pmkhi.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DellHelp] C:\Dell\DellHelp\DellHelp.exe /c
O4 - HKLM\..\Run: [SysMetrix] D:\Program Files\SysMetrix\SysMetrix.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [Spamihilator] "D:\Program Files\Spamihilator\spamihilator.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Stardock ObjectBar.lnk = D:\Program Files\Object Desktop\ObjectBar\ObjectBar.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by22fd.bay22....es/MsnPUpld.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: opnommm - C:\WINDOWS\SYSTEM32\opnommm.dll
O20 - Winlogon Notify: pmkhi - C:\WINDOWS\system32\pmkhi.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
  • 0

#4
Crustyoldbloke
Posted 28 November 2006 - 09:25 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello Michael and a formal welcome to Geeks to Go

Renaming was a good call, have a look at the 02 and 020 entries.

As an introduction, please note that I am not Superhuman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am also fallible.

Please note that you should have Administrator rights to perform the fixes. Also note that multiple identity PC’s (family PC’s) present a different problem; please tell me if your PC has more than one individual’s setting, but continue with the fix.

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix may require you to be in Safe Mode, which will not allow you to access the internet, or my instructions! (Click the Options drop down near the upper right of the topic. Select Print this topic.)

You have quite a mixture of malware and Trojans including a ConHook infection. Let’s see what we can do in dealing with that one first of all since it is the worst.


Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log, from normal mode, in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Now please try running it bit differently:
  • Double-click VundoFix.exe to run it.
  • You will receive a message saying Vundofix will close and re-open in a minute or less. Click OK.
  • When VundoFix re-opens, click Scan for Vundo button.
  • Once the scan is complete, right-click inside the listbox (white box) and click Add more files?
  • Copy & paste the 2 entries below into the top 2 boxes:
    • C:\WINDOWS\system32\pmkhi.dll
    • C:\WINDOWS\system32\ihkmp.*
  • Click Add Files and click Close Window.
  • Click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES.
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a fresh HiJackThis log, from normal mode.

  • 0

#5
WatchNut
Posted 28 November 2006 - 09:39 AM

WatchNut

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
Hi Phil:

Thanks so much for your time. I followed your instructions, and here are the logs.

Regards,

Michael

------------------------
Vundofix.txt


VundoFix V6.2.13

Checking Java version...

Java version is 1.5.0.6

Scan started at 9:59:32 AM 11/28/2006

Listing files found while scanning....

C:\WINDOWS\system32\pmkhi.dll
C:\WINDOWS\system32\ihkmp.ini
C:\WINDOWS\system32\ihkmp.bak1
C:\WINDOWS\system32\ihkmp.bak2

Beginning removal...

Attempting to delete C:\WINDOWS\system32\pmkhi.dll
C:\WINDOWS\system32\pmkhi.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ihkmp.ini
C:\WINDOWS\system32\ihkmp.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ihkmp.bak1
C:\WINDOWS\system32\ihkmp.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ihkmp.bak2
C:\WINDOWS\system32\ihkmp.bak2 Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.13

Checking Java version...

Java version is 1.5.0.6

Scan started at 10:05:01 AM 11/28/2006

Listing files found while scanning....

No infected files were found.


VundoFix V6.2.13

----------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 10:37:53 AM, on 11/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
D:\Program Files\SysMetrix\SysMetrix.exe
D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
D:\Program Files\Spamihilator\spamihilator.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
D:\Program Files\Object Desktop\ObjectBar\ObjectBar.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
D:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
E:\Internet\HiJ_This\Crusty.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {099D0986-C204-F967-3343-00A64FA96FB9} - C:\WINDOWS\system32\vorenbj.dll (file missing)
O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - C:\WINDOWS\system32\atutxehh.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {A705EE10-98FE-47AD-868A-9039E83285A4} - C:\WINDOWS\system32\ssqpp.dll (file missing)
O2 - BHO: (no name) - {B68639A6-3CB3-4237-BBF6-DF3243DA3B96} - C:\WINDOWS\system32\pmkhi.dll (file missing)
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SysMetrix] D:\Program Files\SysMetrix\SysMetrix.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [Spamihilator] "D:\Program Files\Spamihilator\spamihilator.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Stardock ObjectBar.lnk = D:\Program Files\Object Desktop\ObjectBar\ObjectBar.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by22fd.bay22....es/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
  • 0

#6
Crustyoldbloke
Posted 28 November 2006 - 09:53 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again Michael

That appears to have killed ConHook, I will take care of the other visible malware in this fix, but I want to check for Puper (Smitfraud) even though I can’t see it in your log.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder (right click and choose Extract All) and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).

Please copy & paste the content of that report into your next reply.

IMPORTANT: Do NOT run option #2 OR any other option until you are directed to do so!

Note : process.exe is detected by some antivirus programmes (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a programme used to stop system processes. Antivirus programmes cannot distinguish between "good" and "malicious" use of such programmes, therefore they may alert the user.
http://www.beyondlog...processutil.htm

Now I want to continue with further scans including AVGas in safe mode.

Please download the following programmes, we will run them later. Please save them to a place that you will remember, I suggest the Desktop:

Killbox by Option^Explicit
CCleaner
combofix.exe

Please open, and update AVG Anti Spyware
  • Load AVGas and then click the Update tab at the top. Under Manual Update click Start update.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Please select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
  • Select "Automatically generate report after every scan"
  • Deselect "Only if threats were found"
  • Close AVGas. Do not run it yet.
Next, please reboot your computer in Safe Mode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
For additional help in booting into Safe Mode, see the following site:

Safe Mode

  • In Safe Mode, load AVGas and click on the Scanner tab at the top and then click on Complete System Scan. This scan can take quite a while to run, so be patient.
  • AVGas will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVGas will display "All actions have been applied" on the right hand side.
  • Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (I suggest the Desktop).
  • Please ensure you post that log in your reply.
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {099D0986-C204-F967-3343-00A64FA96FB9} - C:\WINDOWS\system32\vorenbj.dll (file missing)
O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - C:\WINDOWS\system32\atutxehh.dll
O2 - BHO: (no name) - {A705EE10-98FE-47AD-868A-9039E83285A4} - C:\WINDOWS\system32\ssqpp.dll (file missing)
O2 - BHO: (no name) - {B68639A6-3CB3-4237-BBF6-DF3243DA3B96} - C:\WINDOWS\system32\pmkhi.dll (file missing)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Now close all windows other than HiJackThis, then click Fix Checked. Please now reboot into normal mode.

Please install Killbox by Option^Explicit.
  • Please double-click Killbox.exe to run it.
  • Select Delete on Reboot
  • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\system32\atutxehh.dll
  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

There is almost certainly bound to be some junk (leftover bits and pieces) on your system that is doing nothing but taking up space. I would recommend that you run CCleaner. Install it, check the default setting in the left-hand pane, ensure you uncheck old prefetch data found under the Windows tab, and under the heading of Applications, Utilities uncheck AVGas Anti-Spyware then click Analyze> Run Cleaner. You may be fairly surprised by how much it finds. Also click Issues then Scan for issues – fix selected issues

Double click combofix.exe & follow the prompts.

When it has finished, it will produce a log. Please post that log in your next reply.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post back a fresh HijackThis log (from normal mode) and I will take another look. (that's four logs in total please).
  • 0

#7
WatchNut
Posted 28 November 2006 - 04:15 PM

WatchNut

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
Hello again Phil, and once again, THANK YOU!

I followed your instructions, and the logs are below. They are as follows:
1st log: Smitfraud Fix log
2nd log: AVG log

When I ran HijackThis and selected FIX CHECKED as you suggested, I got a message that said "HiJack This is about to remove a BHO and corresponding file from your system. Close all Internet Explorer windows and Windows Explorer windows before continuing for best chance of success.

There were no other windows open, so I clicked the OK button on that message.

When I ran Killbox, I did get the PendingFileRenameOperations prompt.

3rd log: Combofix log
4th log: Hijack This log from end of process.

Many thanks,

Michael

----------------------------------------------
Smitfraud fix log

SmitFraudFix v2.124

Scan done at 10:57:30.43, Tue 11/28/2006
Run from E:\Internet\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Michael Sandler


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Michael Sandler\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\MICHAE~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

--------------------------------------------------
AVS log

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 4:51:59 PM 11/28/2006

+ Scan result:



C:\Program Files\DIGStream\digstream.exe -> Not-A-Virus.Downloader.Win32.DigStream : Ignored.
C:\Documents and Settings\Michael Sandler\Cookies\michael sandler@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Michael Sandler\Cookies\michael sandler@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Michael Sandler\Cookies\michael sandler@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.473:C:\Documents and Settings\Michael Sandler\Application Data\Mozilla\Firefox\Profiles\ic3fbgzr.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.474:C:\Documents and Settings\Michael Sandler\Application Data\Mozilla\Firefox\Profiles\ic3fbgzr.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.475:C:\Documents and Settings\Michael Sandler\Application Data\Mozilla\Firefox\Profiles\ic3fbgzr.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.476:C:\Documents and Settings\Michael Sandler\Application Data\Mozilla\Firefox\Profiles\ic3fbgzr.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.477:C:\Documents and Settings\Michael Sandler\Application Data\Mozilla\Firefox\Profiles\ic3fbgzr.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.478:C:\Documents and Settings\Michael Sandler\Application Data\Mozilla\Firefox\Profiles\ic3fbgzr.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.479:C:\Documents and Settings\Michael Sandler\Application Data\Mozilla\Firefox\Profiles\ic3fbgzr.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.480:C:\Documents and Settings\Michael Sandler\Application Data\Mozilla\Firefox\Profiles\ic3fbgzr.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.481:C:\Documents and Settings\Michael Sandler\Application Data\Mozilla\Firefox\Profiles\ic3fbgzr.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.483:C:\Documents and Settings\Michael Sandler\Application Data\Mozilla\Firefox\Profiles\ic3fbgzr.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.549:C:\Documents and Settings\Michael Sandler\Application Data\Mozilla\Firefox\Profiles\ic3fbgzr.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.530:C:\Documents and Settings\Michael Sandler\Application Data\Mozilla\Firefox\Profiles\ic3fbgzr.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.531:C:\Documents and Settings\Michael Sandler\Application Data\Mozilla\Firefox\Profiles\ic3fbgzr.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.532:C:\Documents and Settings\Michael Sandler\Application Data\Mozilla\Firefox\Profiles\ic3fbgzr.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.533:C:\Documents and Settings\Michael Sandler\Application Data\Mozilla\Firefox\Profiles\ic3fbgzr.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.534:C:\Documents and Settings\Michael Sandler\Application Data\Mozilla\Firefox\Profiles\ic3fbgzr.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.535:C:\Documents and Settings\Michael Sandler\Application Data\Mozilla\Firefox\Profiles\ic3fbgzr.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0000079.dll -> Trojan.Mezzia : Cleaned with backup (quarantined).


::Report end

---------------------------------------------------
Combofix log

Michael Sandler - 06-11-28 17:04:30.68 Service Pack 2
ComboFix 06.11.27W - Running from: "E:\Internet"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe


((((((((((((((((((((((((((((((( Files Created from 2006-10-28 to 2006-11-28 ))))))))))))))))))))))))))))))))))


2006-11-28 16:59 <DIR> d-------- C:\!KillBox
2006-11-28 09:59 <DIR> d-------- C:\VundoFix Backups
2006-11-28 09:17 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2006-11-28 01:47 <DIR> dr-h----- C:\Documents and Settings\Michael Sandler\Application Data\yahoo!
2006-11-27 22:15 <DIR> d-------- C:\HiJ
2006-11-27 21:22 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2006-11-27 20:08 200 --a------ C:\delrb1.reg
2006-11-27 20:08 120 --a------ C:\delrb.bat
2006-11-27 18:41 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-27 18:23 3,490 --a------ C:\WINDOWS\system32\tmp.reg
2006-11-27 13:27 88,340 --a------ C:\WINDOWS\system32\psuowcmx.exe
2006-11-26 16:49 <DIR> d-------- C:\Documents and Settings\Michael Sandler\Application Data\DeepBurner
2006-11-26 16:10 <DIR> d-------- C:\Documents and Settings\Michael Sandler\Application Data\Sonic
2006-11-26 16:10 <DIR> d-------- C:\Documents and Settings\Michael Sandler\Application Data\Leadertech
2006-11-26 13:54 40,973 ---hs---- C:\WINDOWS\system32\opnommm.dll
2006-11-26 13:26 38,420 --a------ C:\WINDOWS\system32\carfheox.dll
2006-11-26 13:17 40,973 ---hs---- C:\WINDOWS\system32\mljkihh.dll
2006-11-25 01:05 <DIR> d---s---- C:\Documents and Settings\Michael Sandler\UserData
2006-11-24 22:33 98,304 --a------ C:\WINDOWS\system32\lffax13n.dll
2006-11-24 22:33 69,632 --a------ C:\WINDOWS\system32\lfgif13n.dll
2006-11-24 22:33 57,344 --a------ C:\WINDOWS\system32\lfbmp13n.dll
2006-11-24 22:33 462,848 --a------ C:\WINDOWS\system32\ltkrn13n.dll
2006-11-24 22:33 450,560 --a------ C:\WINDOWS\system32\ltimg13n.dll
2006-11-24 22:33 401,408 --a------ C:\WINDOWS\system32\lfcmp13n.dll
2006-11-24 22:33 299,008 --a------ C:\WINDOWS\system32\ltdis13n.dll
2006-11-24 22:33 206,336 --a------ C:\WINDOWS\system32\ltefx13n.dll
2006-11-24 22:33 163,840 --a------ C:\WINDOWS\system32\ltfil13n.dll
2006-11-24 22:33 155,648 --a------ C:\WINDOWS\system32\lftif13n.dll
2006-11-24 22:33 1,693,696 --a------ C:\WINDOWS\system32\ltclr13n.dll
2006-11-23 12:46 <DIR> d-------- C:\Program Files\Apple Software Update
2006-11-23 12:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2006-11-22 16:50 47,104 --a------ C:\WINDOWS\system32\Wh2Robo.dll
2006-11-22 16:44 45,056 --a------ C:\WINDOWS\NCUNINST.EXE
2006-11-22 16:42 <DIR> d-------- C:\Program Files\Common Files\SWF Studio
2006-11-22 16:40 35,840 --a------ C:\WINDOWS\system32\drivers\AFS2K.SYS
2006-11-22 16:40 <DIR> d-------- C:\Documents and Settings\Michael Sandler\Application Data\Share-to-Web Upload Folder
2006-11-22 16:39 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2006-11-22 16:39 <DIR> d-------- C:\Program Files\Hewlett-Packard
2006-11-22 16:39 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2006-11-22 16:36 <DIR> d-------- C:\Documents and Settings\Michael Sandler\Contacts
2006-11-22 16:35 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2006-11-22 16:35 <DIR> d-------- C:\Program Files\MSN Messenger
2006-11-22 16:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\yahoo!
2006-11-22 16:31 <DIR> d-------- C:\Program Files\Yahoo!
2006-11-22 11:26 <DIR> d-------- C:\New Files
2006-11-22 10:40 233,472 --a------ C:\WINDOWS\system32\Ilda32.dll
2006-11-22 10:39 304,128 --a------ C:\WINDOWS\IsUninst.exe
2006-11-22 10:39 <DIR> d-------- C:\Documents and Settings\Michael Sandler\WINDOWS
2006-11-22 09:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-11-22 09:49 <DIR> d-------- C:\Documents and Settings\Michael Sandler\Application Data\Lavasoft
2006-11-22 09:17 <DIR> d-------- C:\Documents and Settings\Michael Sandler\Application Data\LCt
2006-11-22 09:12 <DIR> d-------- C:\Documents and Settings\Michael Sandler\Application Data\ACD Systems
2006-11-22 09:10 <DIR> d-------- C:\Program Files\Common Files\ACD Systems
2006-11-22 09:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ACD Systems
2006-11-21 23:11 <DIR> d-------- C:\WINDOWS\Sun
2006-11-21 23:11 <DIR> d-------- C:\Documents and Settings\Michael Sandler\Application Data\Sun
2006-11-21 23:07 <DIR> d-------- C:\Documents and Settings\Michael Sandler\Application Data\Talkback
2006-11-21 23:07 <DIR> d-------- C:\Documents and Settings\Michael Sandler\Application Data\Mozilla
2006-11-21 22:16 <DIR> d-------- C:\Documents and Settings\Michael Sandler\Application Data\AdobeUM
2006-11-21 22:15 <DIR> d-------- C:\Documents and Settings\Michael Sandler\Application Data\Adobe
2006-11-21 21:59 1,712,128 -ra------ C:\WINDOWS\system32\gdiplus.dll
2006-11-21 21:45 <DIR> d-------- C:\Documents and Settings\Michael Sandler\Application Data\Help
2006-11-21 21:36 <DIR> d-------- C:\Program Files\PowerQuest
2006-11-21 20:17 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2006-11-21 19:56 <DIR> d-------- C:\Program Files\7-Zip
2006-11-21 19:54 <DIR> d-------- C:\Documents and Settings\Michael Sandler\Application Data\Macromedia
2006-11-21 19:45 23,808 --a------ C:\WINDOWS\system32\drivers\Dot4usb.sys
2006-11-21 19:45 207,360 --a------ C:\WINDOWS\system32\drivers\Dot4.sys
2006-11-21 19:45 12,928 --a------ C:\WINDOWS\system32\drivers\Dot4Prt.sys
2006-11-21 19:45 <DIR> d-------- C:\WINDOWS\system32\ReinstallBackups
2006-11-21 19:44 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2006-11-21 19:44 7,552 --a------ C:\WINDOWS\system32\drivers\MSKSSRV.sys
2006-11-21 19:44 5,376 --a------ C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2006-11-21 19:44 4,992 --a------ C:\WINDOWS\system32\drivers\MSPQM.sys
2006-11-21 19:44 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2006-11-21 19:44 26,496 --a------ C:\WINDOWS\system32\drivers\USBSTOR.SYS
2006-11-21 19:44 180,224 --a------ C:\WINDOWS\system32\nvudisp.exe
2006-11-21 19:44 16,128 --a------ C:\WINDOWS\system32\drivers\MODEMCSA.sys
2006-11-21 19:44 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2006-11-21 19:44 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2006-11-21 19:44 <DIR> d-------- C:\Program Files\MSXML 4.0
2006-11-21 19:44 <DIR> d-------- C:\Program Files\CONEXANT
2006-11-21 19:44 <DIR> d-------- C:\3d2a98569c44fdfb3e38181d4345
2006-11-21 19:33 23,040 --------- C:\WINDOWS\kb913800.exe
2006-11-21 19:28 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2006-11-21 19:22 <DIR> d-------- C:\Documents and Settings\Michael Sandler\Application Data\Google
2006-11-21 19:16 <DIR> dr-h----- C:\Documents and Settings\Michael Sandler\SendTo
2006-11-21 19:16 <DIR> dr-h----- C:\Documents and Settings\Michael Sandler\Recent
2006-11-21 19:16 <DIR> dr-h----- C:\Documents and Settings\Michael Sandler\Application Data\.
2006-11-21 19:16 <DIR> dr-h----- C:\Documents and Settings\Michael Sandler\Application Data
2006-11-21 19:16 <DIR> dr------- C:\Documents and Settings\Michael Sandler\Start Menu
2006-11-21 19:16 <DIR> dr------- C:\Documents and Settings\Michael Sandler\Favorites
2006-11-21 19:16 <DIR> d--h----- C:\Documents and Settings\Michael Sandler\Templates
2006-11-21 19:16 <DIR> d--h----- C:\Documents and Settings\Michael Sandler\PrintHood
2006-11-21 19:16 <DIR> d--h----- C:\Documents and Settings\Michael Sandler\NetHood
2006-11-21 19:16 <DIR> d--h----- C:\Documents and Settings\Michael Sandler\Local Settings
2006-11-21 19:16 <DIR> d--h----- C:\Documents and Settings\Michael Sandler\Application Data\Gtek
2006-11-21 19:16 <DIR> d---s---- C:\Documents and Settings\Michael Sandler\Cookies
2006-11-21 19:16 <DIR> d---s---- C:\Documents and Settings\Michael Sandler\Application Data\Microsoft
2006-11-21 19:16 <DIR> d-------- C:\Documents and Settings\Michael Sandler\Desktop
2006-11-21 19:16 <DIR> d-------- C:\Documents and Settings\Michael Sandler\Application Data\Identities
2006-11-21 19:16 <DIR> d-------- C:\Documents and Settings\Michael Sandler\Application Data\..
2006-11-21 19:16 <DIR> d-------- C:\Documents and Settings\Michael Sandler\..
2006-11-21 19:16 <DIR> d-------- C:\Documents and Settings\Michael Sandler\.
2006-11-21 19:15 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2006-11-21 19:12 <DIR> d--hs---- C:\RECYCLER
2006-11-21 19:09 <DIR> d-------- C:\Program Files\EarthLink Setup
2006-11-21 19:08 24,816 --a------ C:\WINDOWS\system32\mdimon.dll
2006-11-21 19:08 <DIR> d-------- C:\Program Files\Dell Support
2006-11-21 19:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GTek
2006-11-21 19:07 <DIR> d-------- C:\WINDOWS\SHELLNEW
2006-11-21 19:07 <DIR> d-------- C:\Program Files\Microsoft.NET
2006-11-21 19:07 <DIR> d-------- C:\Program Files\Microsoft Visual Studio
2006-11-21 19:07 <DIR> d-------- C:\Program Files\Microsoft Office
2006-11-21 19:07 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2006-11-21 19:07 <DIR> d-------- C:\Program Files\Common Files\L&H
2006-11-21 19:07 <DIR> d-------- C:\Program Files\Common Files\DESIGNER
2006-11-21 19:07 <DIR> d-------- C:\Program Files\Common Files\Adobe
2006-11-21 19:07 <DIR> d-------- C:\Program Files\Adobe
2006-11-21 19:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2006-11-21 19:06 <DIR> d-------- C:\Program Files\Sonic
2006-11-21 19:06 <DIR> d-------- C:\Program Files\Microsoft Works
2006-11-21 19:06 <DIR> d-------- C:\Program Files\Google
2006-11-21 19:06 <DIR> d-------- C:\Program Files\BAE
2006-11-21 19:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2006-11-21 19:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google
2006-11-21 19:05 94,263 --a------ C:\WINDOWS\DLA.EXE
2006-11-21 19:05 89,264 --a------ C:\WINDOWS\system32\drivers\DRVMCDB.SYS
2006-11-21 19:05 61,500 --a------ C:\WINDOWS\system32\DLAAPI_W.DLL
2006-11-21 19:05 5,628 --a------ C:\WINDOWS\system32\drivers\DLACDBHM.SYS
2006-11-21 19:05 40,544 --a------ C:\WINDOWS\system32\drivers\DRVNDDM.SYS
2006-11-21 19:05 22,684 --a------ C:\WINDOWS\system32\drivers\DLARTL_N.SYS
2006-11-21 19:05 <DIR> d-------- C:\WINDOWS\system32\DLA
2006-11-21 19:05 <DIR> d-------- C:\Program Files\Roxio
2006-11-21 19:05 <DIR> d-------- C:\Program Files\Common Files\TiVo Shared
2006-11-21 19:05 <DIR> d-------- C:\Program Files\Common Files\Roxio Shared
2006-11-21 19:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sonic
2006-11-21 19:04 <DIR> d-------- C:\WINDOWS\occache
2006-11-21 19:04 <DIR> d-------- C:\Program Files\Viewpoint
2006-11-21 19:04 <DIR> d-------- C:\Program Files\Trend Micro
2006-11-21 19:04 <DIR> d-------- C:\Program Files\Learn2.com
2006-11-21 19:04 <DIR> d-------- C:\Program Files\Common Files\Nullsoft
2006-11-21 19:04 <DIR> d-------- C:\Program Files\AOL Companion
2006-11-21 19:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2006-11-21 19:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\QuickTime
2006-11-21 19:03 8,552 --a------ C:\WINDOWS\system32\drivers\asctrm.sys
2006-11-21 19:03 54,784 --a------ C:\WINDOWS\system32\Inetwh32.dll
2006-11-21 19:03 33,588 --a------ C:\WINDOWS\system32\drivers\wanatw4.sys
2006-11-21 19:03 225,280 --a------ C:\WINDOWS\system32\AOLDial.dll
2006-11-21 19:03 153,088 --a------ C:\WINDOWS\system32\jgdwmie.dll
2006-11-21 19:03 1,044,480 --a------ C:\WINDOWS\system32\roboex32.dll
2006-11-21 19:03 <DIR> d-------- C:\Program Files\Real
2006-11-21 19:03 <DIR> d-------- C:\Program Files\Microsoft Plus! Photo Story 2 LE
2006-11-21 19:03 <DIR> d-------- C:\Program Files\Microsoft Plus! Digital Media Edition
2006-11-21 19:03 <DIR> d-------- C:\Program Files\Common Files\Real
2006-11-21 19:03 <DIR> d-------- C:\Program Files\Common Files\aolshare
2006-11-21 19:03 <DIR> d-------- C:\Program Files\Common Files\AOL
2006-11-21 19:03 <DIR> d-------- C:\Program Files\America Online 9.0
2006-11-21 19:03 <DIR> d-------- C:\My Music
2006-11-21 19:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2006-11-21 19:02 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2006-11-21 19:02 <DIR> d-------- C:\Program Files\NetWaiting
2006-11-21 19:02 <DIR> d-------- C:\Program Files\MUSICMATCH
2006-11-21 19:02 <DIR> d-------- C:\Program Files\Modem Helper
2006-11-21 19:02 <DIR> d-------- C:\Program Files\InterActual
2006-11-21 19:02 <DIR> d-------- C:\Program Files\Digital Line Detect
2006-11-21 19:02 <DIR> d-------- C:\Program Files\Dell
2006-11-21 19:02 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared
2006-11-21 19:01 126,976 --a------ C:\WINDOWS\system32\Imsmudlg.exe
2006-11-21 19:01 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2006-11-21 19:01 <DIR> d-------- C:\WINDOWS\system32\ENU
2006-11-21 19:01 <DIR> d-------- C:\Program Files\Intel
2006-11-21 19:01 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2006-11-21 19:01 <DIR> d-------- C:\drvrtmp
2006-11-21 18:58 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2006-11-21 18:58 60,800 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys
2006-11-21 18:58 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2006-11-21 18:58 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2006-11-21 18:58 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys
2006-11-21 18:58 52,864 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2006-11-21 18:58 282,624 --a------ C:\WINDOWS\stsystra.exe
2006-11-21 18:58 28,672 --------- C:\WINDOWS\system32\verclsid.exe
2006-11-21 18:58 2,944 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys
2006-11-21 18:58 172,416 --a------ C:\WINDOWS\system32\drivers\kmixer.sys
2006-11-21 18:58 142,464 --a------ C:\WINDOWS\system32\drivers\aec.sys
2006-11-21 18:58 1,052,672 --a------ C:\WINDOWS\system32\stlang.dll
2006-11-21 18:58 <DIR> d-------- C:\Program Files\Sigmatel
2006-11-21 18:56 <DIR> d-------- C:\Program Files\Java
2006-11-21 18:56 <DIR> d-------- C:\Program Files\Common Files\Java
2006-11-21 18:54 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2006-11-18 18:00 <DIR> d-------- C:\dell
2006-11-18 17:58 90,112 --a------ C:\WINDOWS\system32\nvapi.dll
2006-11-18 17:58 90,112 --a------ C:\WINDOWS\system32\mdmxsdk.dll
2006-11-18 17:58 86,016 --a------ C:\WINDOWS\system32\nvmctray.dll
2006-11-18 17:58 81,920 --a------ C:\WINDOWS\system32\nvwddi.dll
2006-11-18 17:58 7,323,648 --a------ C:\WINDOWS\system32\nvcpl.dll
2006-11-18 17:58 680,704 --a------ C:\WINDOWS\system32\drivers\HSF_CNXT.sys
2006-11-18 17:58 56,832 --a------ C:\WINDOWS\system32\NicEtCoE.dll
2006-11-18 17:58 5,398,528 --a------ C:\WINDOWS\system32\nvoglnt.dll
2006-11-18 17:58 49,152 --a------ C:\WINDOWS\setpwrcg.exe
2006-11-18 17:58 45,056 --a------ C:\WINDOWS\system32\nvmccsrs.dll
2006-11-18 17:58 35,328 --a------ C:\WINDOWS\system32\nvcodins.dll
2006-11-18 17:58 35,328 --a------ C:\WINDOWS\system32\nvcod.dll
2006-11-18 17:58 335,872 --a------ C:\WINDOWS\system32\nvwrses.dll
2006-11-18 17:58 327,680 --a------ C:\WINDOWS\system32\nvwrsfr.dll
2006-11-18 17:58 323,584 --a------ C:\WINDOWS\system32\nvwrsit.dll
2006-11-18 17:58 32,218 --a------ C:\WINDOWS\system32\HSFCI008.dll
2006-11-18 17:58 319,488 --a------ C:\WINDOWS\system32\nvwrsptb.dll
2006-11-18 17:58 319,488 --a------ C:\WINDOWS\system32\nvwrsnl.dll
2006-11-18 17:58 311,296 --a------ C:\WINDOWS\system32\nvwrsde.dll
2006-11-18 17:58 303,104 --a------ C:\WINDOWS\system32\nvwrsfi.dll
2006-11-18 17:58 299,008 --a------ C:\WINDOWS\system32\nvwrsno.dll
2006-11-18 17:58 294,912 --a------ C:\WINDOWS\system32\nvwrssv.dll
2006-11-18 17:58 294,912 --a------ C:\WINDOWS\system32\nvwrsda.dll
2006-11-18 17:58 278,528 --a------ C:\WINDOWS\system32\nvrsfr.dll
2006-11-18 17:58 274,432 --a------ C:\WINDOWS\system32\nvrsit.dll
2006-11-18 17:58 274,432 --a------ C:\WINDOWS\system32\nvrses.dll
2006-11-18 17:58 270,336 --a------ C:\WINDOWS\system32\nvrsde.dll
2006-11-18 17:58 266,240 --a------ C:\WINDOWS\system32\nvrsnl.dll
2006-11-18 17:58 262,144 --a------ C:\WINDOWS\system32\nvrsptb.dll
2006-11-18 17:58 262,144 --a------ C:\WINDOWS\system32\nvrsja.dll
2006-11-18 17:58 258,048 --a------ C:\WINDOWS\system32\nvrsko.dll
2006-11-18 17:58 253,952 --a------ C:\WINDOWS\system32\e1000msg.dll
2006-11-18 17:58 249,856 --a------ C:\WINDOWS\system32\nvrssv.dll
2006-11-18 17:58 249,856 --a------ C:\WINDOWS\system32\nvrsno.dll
2006-11-18 17:58 249,856 --a------ C:\WINDOWS\system32\nvrsda.dll
2006-11-18 17:58 246,784 --a------ C:\WINDOWS\system32\drivers\iaStor.sys
2006-11-18 17:58 241,664 --a------ C:\WINDOWS\system32\nvrsfi.dll
2006-11-18 17:58 24,576 --a------ C:\WINDOWS\system32\DSRIRREM.EXE
2006-11-18 17:58 230,400 --a------ C:\WINDOWS\system32\drivers\e1e5132.sys
2006-11-18 17:58 229,376 --a------ C:\WINDOWS\system32\nvmccs.dll
2006-11-18 17:58 217,088 --a------ C:\WINDOWS\system32\nvrszhc.dll
2006-11-18 17:58 212,992 --a------ C:\WINDOWS\system32\nvwrsja.dll
2006-11-18 17:58 212,224 --a------ C:\WINDOWS\system32\drivers\HSFHWBS2.sys
2006-11-18 17:58 21,504 --a------ C:\WINDOWS\system32\NicCo.dll
2006-11-18 17:58 20,480 --a------ C:\WINDOWS\system32\NicInstE.dll
2006-11-18 17:58 196,608 --a------ C:\WINDOWS\system32\nvwrsko.dll
2006-11-18 17:58 167,936 --a------ C:\WINDOWS\system32\nvwrszht.dll
2006-11-18 17:58 163,840 --a------ C:\WINDOWS\system32\nvwrszhc.dll
2006-11-18 17:58 155,648 --a------ C:\WINDOWS\system32\GWSEH.dll
2006-11-18 17:58 143,427 --a------ C:\WINDOWS\system32\nvsvc32.exe
2006-11-18 17:58 126,976 --a------ C:\WINDOWS\system32\Prounstl.exe
2006-11-18 17:58 118,784 --a------ C:\WINDOWS\system32\nvrszht.dll
2006-11-18 17:58 11,043 --a------ C:\WINDOWS\system32\drivers\mdmxsdk.sys
2006-11-18 17:58 1,488 --a------ C:\WINDOWS\system32\DSR_BAT.BAT
2006-11-18 17:58 1,042,432 --a------ C:\WINDOWS\system32\drivers\HSF_DP.sys
2006-11-18 17:58 <DIR> d--hs---- C:\WINDOWS\..
2006-11-18 17:58 <DIR> d-------- C:\WINDOWS\system32\drivers\..
2006-11-18 17:58 <DIR> d-------- C:\WINDOWS\system32\drivers\.
2006-11-18 17:58 <DIR> d-------- C:\WINDOWS\system32\drivers
2006-11-18 17:58 <DIR> d-------- C:\WINDOWS\system32\..
2006-11-18 17:58 <DIR> d-------- C:\WINDOWS\system32\.
2006-11-18 17:58 <DIR> d-------- C:\WINDOWS\system32
2006-11-18 17:58 <DIR> d-------- C:\WINDOWS\.
2006-11-18 17:58 <DIR> d-------- C:\WINDOWS
2006-11-18 17:58 <DIR> d-------- C:\i386
2006-11-18 17:58 <DIR> d-------- C:\drivers
2006-11-18 17:57 985,088 --a------ C:\WINDOWS\system32\setupapi.dll
2006-11-18 17:57 208,896 --a------ C:\WINDOWS\system32\stacapi.dll
2006-11-18 17:57 112,128 --a------ C:\WINDOWS\system32\staco.dll
2006-11-18 17:57 1,156,648 --a------ C:\WINDOWS\system32\drivers\sthda.sys
2006-11-18 17:57 <DIR> d-------- C:\WINDOWS\ehome
2006-11-18 17:56 884,736 --a------ C:\WINDOWS\system32\msimsg.dll
2006-11-18 17:56 78,848 --a------ C:\WINDOWS\system32\msiexec.exe
2006-11-18 17:56 453,120 --a------ C:\WINDOWS\system32\drivers\mrxsmb.sys
2006-11-18 17:56 271,360 --a------ C:\WINDOWS\system32\msihnd.dll
2006-11-18 17:56 2,890,240 --a------ C:\WINDOWS\system32\msi.dll
2006-11-18 17:56 15,360 --a------ C:\WINDOWS\system32\msisip.dll
2006-11-18 17:56 <DIR> d-------- C:\WINDOWS\system32\oobe
2006-11-18 17:56 <DIR> d-------- C:\WINDOWS\system32\dllcache
2006-11-04 14:14 1,245,696 --a------ C:\WINDOWS\system32\msxml4.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-28 17:04 -------- d-------- C:\Program Files\Common Files
2006-11-28 09:29 -------- d-------- C:\Program Files\Internet Explorer
2006-11-22 16:54 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-11-21 19:44 -------- d-------- C:\Program Files\Windows Media Player
2006-11-21 19:07 -------- d-------- C:\Program Files\Common Files\System
2006-11-21 18:58 -------- d-------- C:\Program Files\Outlook Express
2006-11-21 18:56 -------- d-------- C:\Program Files\Messenger


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"OE_OEM"="\"C:\\Program Files\\Trend Micro\\Internet Security 12\\TMAS_OE\\TMAS_OEMon.exe\""
"Spamihilator"="\"D:\\Program Files\\Spamihilator\\spamihilator.exe\""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"SigmatelSysTrayApp"="stsystra.exe"
"IAAnotif"="C:\\Program Files\\Intel\\Intel Matrix Storage Manager\\Iaanotif.exe"
"DMXLauncher"="C:\\Program Files\\Dell\\Media Experience\\DMXLauncher.exe"
"pccguide.exe"="\"C:\\Program Files\\Trend Micro\\Internet Security 12\\pccguide.exe\""
"DLA"="C:\\WINDOWS\\System32\\DLA\\DLACTRLW.EXE"
"ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"SysMetrix"="D:\\Program Files\\SysMetrix\\SysMetrix.exe"
"Share-to-Web Namespace Daemon"="D:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
@=""
"StatusClient"="C:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Apache Tomcat 4.0\\webapps\\Toolbox\\StatusClient\\StatusClient.exe /auto"
"TomcatStartup"="C:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\hpbpsttp.exe"
"QuickTime Task"="\"D:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"!AVG Anti-Spyware"="\"D:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{827D3881-317C-442A-B4ED-F576CBA700BB}"="GW SEH Intercept"
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"="Eudora's Shell Extension"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoBandCustomize"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00
"DisableTaskMgr"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20061128-165511-962
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
backup-20061128-165511-752
O2 - BHO: (no name) - {A705EE10-98FE-47AD-868A-9039E83285A4} - C:\WINDOWS\system32\ssqpp.dll (file missing)
backup-20061128-165511-147
O2 - BHO: (no name) - {B68639A6-3CB3-4237-BBF6-DF3243DA3B96} - C:\WINDOWS\system32\pmkhi.dll (file missing)
backup-20061128-165511-972
O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - C:\WINDOWS\system32\atutxehh.dll
backup-20061128-165511-117
O2 - BHO: (no name) - {099D0986-C204-F967-3343-00A64FA96FB9} - C:\WINDOWS\system32\vorenbj.dll (file missing)

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

Completion time: 06-11-28 17:04:55.48
C:\ComboFix.txt ... 06-11-28 17:04

----------------------------------------------
Final HiJackThis log

Logfile of HijackThis v1.99.1
Scan saved at 5:06:15 PM, on 11/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
D:\Program Files\SysMetrix\SysMetrix.exe
D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
D:\Program Files\Spamihilator\spamihilator.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
D:\Program Files\Object Desktop\ObjectBar\ObjectBar.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
E:\Internet\HiJ_This\Crusty.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SysMetrix] D:\Program Files\SysMetrix\SysMetrix.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [Spamihilator] "D:\Program Files\Spamihilator\spamihilator.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Stardock ObjectBar.lnk = D:\Program Files\Object Desktop\ObjectBar\ObjectBar.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by22fd.bay22....es/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
  • 0

#8
WatchNut
Posted 28 November 2006 - 04:37 PM

WatchNut

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
Hi Phil:

I noticed on my final HijackThis log that the O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present from HiJackThis that ypu asked me to check and remove in a previous step is back. That can't be good I guess.
:-(

How close are we to getting this nasty bug off my machine?

Kind Regards,

Michael
  • 0

#9
Crustyoldbloke
Posted 28 November 2006 - 07:33 PM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again Michael

Your HJT log looks clean.

I do see malware in Combofix which needs to be deleted, but first I want to check for Vundo.

Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log, from normal mode, in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

If Vundofix does not find and delete the files, please try running it bit differently:
  • Double-click VundoFix.exe to run it.
  • You will receive a message saying Vundofix will close and re-open in a minute or less. Click OK.
  • When VundoFix re-opens, click Scan for Vundo button.
  • Once the scan is complete, right-click inside the listbox (white box) and click Add more files?
  • Copy & paste the 2 entries below into the top 2 boxes:
    • C:\WINDOWS\system32\mljkihh.dll
    • C:\WINDOWS\system32\hhikjlm.*
  • Click Add Files and click Close Window.
  • Click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES.
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a fresh HiJackThis log, from normal mode.
I see one file for checking:

1. Click HERE to get to Jotti's site.

2. At the top of the Jotti window, use the Browse button to locate the following files on your system:

C:\WINDOWS\system32\psuowcmx.exe
C:\WINDOWS\system32\opnommm.dll
C:\WINDOWS\system32\carfheox.dll
C:\Program Files\DIGStream\digstream.exe

3. Once you have located the files, click SUBMIT and the content of the file will be uploaded by the site and analysed.

4. Please provide me with the results of the analysis for those four files.

This folder can be safely deleted: C:\Program Files\Viewpoint\

Please locate and report back on the content of this folder: C:\HiJ\
  • 0

#10
WatchNut
Posted 28 November 2006 - 10:19 PM

WatchNut

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
Hello Phil:

Thanks again for your response (I realize it's late at night for you).

I downloaded and ran VundoFix per your explanation, and it found nothing on the first scan.

I then ran it again per your suggestion, manually adding the two file lines in your post. The machine then did indeed shut down and reboot as you said it would. The logs from VundoFix and Hijack this (there are still two O6 entries....is this OK?) are appended below. I will no go to the Jotti site and have the files analyzed, and I'll make a second post in this thread with the results.

Regards,

Michael

-------------------------------------------

VundoFix V6.2.13

Checking Java version...

Java version is 1.5.0.6

Scan started at 11:08:01 PM 11/28/2006

Listing files found while scanning....

No infected files were found.


Beginning removal...

Performing Repairs to the registry.
Done!

-------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 11:18:45 PM, on 11/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
D:\Program Files\SysMetrix\SysMetrix.exe
D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
D:\Program Files\Spamihilator\spamihilator.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
D:\Program Files\Object Desktop\ObjectBar\ObjectBar.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
D:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
E:\Internet\HiJ_This\Crusty.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SysMetrix] D:\Program Files\SysMetrix\SysMetrix.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [Spamihilator] "D:\Program Files\Spamihilator\spamihilator.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Stardock ObjectBar.lnk = D:\Program Files\Object Desktop\ObjectBar\ObjectBar.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by22fd.bay22....es/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
  • 0

Advertisements

#11
WatchNut
Posted 28 November 2006 - 10:27 PM

WatchNut

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
Phil:

When I went to the Jotti site and browsed to the first file, I got a Trend Micro Pc-Cillin popup that said
Real-time Scan
Trend Micro PC-cillin Internet Security has detected a virus, spyware application, or other Internet threat, and performed the action specified.

Infected file: C:\WINDOWS\system32\psuowcmx.exe
Virus name: TROJ_AGENT.GZU
User name: Michael Sandler
Scan action result: Quarantined.
Note: If Search for and clean Trojans is enabled and is executed after scanning, you can click Next to view final scan result information.

I did not want to proceed further, since I was afraid after the virus warning. I am enclosing another HijackThis log in case my problem has recurred all over again.

I did delete the Viewpoint folder you instructed me to remove.

Also.....the C:\HiJ is nothing more than a folder I created to hold a copy of the Hijack This files.

How are we looking now? Close to getting this nasty thing solved?

Best Regards,

Michael

------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 11:24:37 PM, on 11/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
D:\Program Files\SysMetrix\SysMetrix.exe
D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
D:\Program Files\Spamihilator\spamihilator.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
D:\Program Files\Object Desktop\ObjectBar\ObjectBar.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
D:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
E:\Internet\HiJ_This\Crusty.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SysMetrix] D:\Program Files\SysMetrix\SysMetrix.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [Spamihilator] "D:\Program Files\Spamihilator\spamihilator.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Stardock ObjectBar.lnk = D:\Program Files\Object Desktop\ObjectBar\ObjectBar.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by22fd.bay22....es/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
  • 0

#12
Crustyoldbloke
Posted 29 November 2006 - 02:42 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again Michael

We are not far off completion now, but you need to go back to Jotti for the other two files. Don't worry about your AV programme kicking in, it's just doing its job.

These are the two files:

C:\WINDOWS\system32\opnommm.dll
C:\WINDOWS\system32\carfheox.dll

The other one is legitimate:

C:\Program Files\DIGStream\digstream.exe - part of Disney Corp, streaming device.

Rescan with HijackThis. Close all programmes leaving only HijackThis running. Place a checkmark or tick against the following:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Click on Fix Checked when finished and exit HijackThis.

Please run another ComboFix scan and post the log.

Reboot normally, and post a fresh HJT log from normal mode.
  • 0

#13
WatchNut
Posted 29 November 2006 - 05:07 AM

WatchNut

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
Hi Phil:

Here are the Jotti results on the other 2 files:

Service load:
0% 100%
File: opnommm.dll
Status:
INFECTED/MALWARE
MD5 1bff1c109b3b29ee1a118b847cdd96e6
Packers detected:
-
Scanner results
AntiVir
Found Trojan/Vundo.Gen
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found Trojan.Downloader.Virtumonde.H
ClamAV
Found nothing
Dr.Web
Found Trojan.Virtumod
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found not-a-virus:AdWare.Win32.Virtumonde.de (4, 1, 400)
Fortinet
Found nothing
Kaspersky Anti-Virus
Found not-a-virus:AdWare.Win32.Virtumonde.de
NOD32
Found nothing
Norman Virus Control
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing


Service load:
0% 100%
File: carfheox.dll
Status:
INFECTED/MALWARE
MD5 3cb102f1c3d4f7ec29cb450335379718
Packers detected:
-
Scanner results
AntiVir
Found Backdoor-Server/Pcclient.CC backdoor
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found Backdoor.Pcclient.CC
ClamAV
Found nothing
Dr.Web
Found Trojan.Juan
F-Prot Antivirus
Found Possibly a new variant of W32/Threat-INLIB-based!Maximus
F-Secure Anti-Virus
Found Trojan.Win32.BHO.o
Fortinet
Found nothing
Kaspersky Anti-Virus
Found Trojan.Win32.BHO.o
NOD32
Found Win32/BHO.NAC
Norman Virus Control
Found W32/Smalltroj.NWI
VirusBuster
Found nothing
VBA32
Found nothing


I will post the Hijack This results in my next post immediately after this one.

Regards,

Michael
  • 0

#14
WatchNut
Posted 29 November 2006 - 05:15 AM

WatchNut

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
Hello again Phil.

Here are the combofix log (before reboot) and Hijack This log (after reboot). The O6 entries (both of them?) are now gone from the Hijack This log.

Thank you,

Michael


-----------------------------

Michael Sandler - 06-11-29 6:09:24.99 Service Pack 2
ComboFix 06.11.27W - Running from: "E:\Internet"

((((((((((((((((((((((((((((((( Files Created from 2006-10-29 to 2006-11-29 ))))))))))))))))))))))))))))))))))


2006-11-28 16:59 <DIR> d-------- C:\!KillBox
2006-11-28 09:59 <DIR> d-------- C:\VundoFix Backups
2006-11-28 09:17 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2006-11-28 01:47 <DIR> dr-h----- C:\Documents and Settings\Michael Sandler\Application Data\yahoo!
2006-11-27 22:15 <DIR> d-------- C:\HiJ
2006-11-27 21:22 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2006-11-27 20:08 200 --a------ C:\delrb1.reg
2006-11-27 20:08 120 --a------ C:\delrb.bat
2006-11-27 18:41 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-27 18:23 3,490 --a------ C:\WINDOWS\system32\tmp.reg
2006-11-26 16:49 <DIR> d-------- C:\Documents and Settings\Michael Sandler\Application Data\DeepBurner
2006-11-26 16:10 <DIR> d-------- C:\Documents and Settings\Michael Sandler\Application Data\Sonic
2006-11-26 16:10 <DIR> d-------- C:\Documents and Settings\Michael Sandler\Application Data\Leadertech
2006-11-26 13:54 40,973 ---hs---- C:\WINDOWS\system32\opnommm.dll
2006-11-26 13:26 38,420 --a------ C:\WINDOWS\system32\carfheox.dll
2006-11-26 13:17 40,973 ---hs---- C:\WINDOWS\system32\mljkihh.dll
2006-11-25 01:05 <DIR> d---s---- C:\Documents and Settings\Michael Sandler\UserData
2006-11-24 22:33 98,304 --a------ C:\WINDOWS\system32\lffax13n.dll
2006-11-24 22:33 69,632 --a------ C:\WINDOWS\system32\lfgif13n.dll
2006-11-24 22:33 57,344 --a------ C:\WINDOWS\system32\lfbmp13n.dll
2006-11-24 22:33 462,848 --a------ C:\WINDOWS\system32\ltkrn13n.dll
2006-11-24 22:33 450,560 --a------ C:\WINDOWS\system32\ltimg13n.dll
2006-11-24 22:33 401,408 --a------ C:\WINDOWS\system32\lfcmp13n.dll
2006-11-24 22:33 299,008 --a------ C:\WINDOWS\system32\ltdis13n.dll
2006-11-24 22:33 206,336 --a------ C:\WINDOWS\system32\ltefx13n.dll
2006-11-24 22:33 163,840 --a------ C:\WINDOWS\system32\ltfil13n.dll
2006-11-24 22:33 155,648 --a------ C:\WINDOWS\system32\lftif13n.dll
2006-11-24 22:33 1,693,696 --a------ C:\WINDOWS\system32\ltclr13n.dll
2006-11-23 12:46 <DIR> d-------- C:\Program Files\Apple Software Update
2006-11-23 12:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2006-11-22 16:50 47,104 --a------ C:\WINDOWS\system32\Wh2Robo.dll
2006-11-22 16:44 45,056 --a------ C:\WINDOWS\NCUNINST.EXE
2006-11-22 16:42 <DIR> d-------- C:\Program Files\Common Files\SWF Studio
2006-11-22 16:40 35,840 --a------ C:\WINDOWS\system32\drivers\AFS2K.SYS
2006-11-22 16:40 <DIR> d-------- C:\Documents and Settings\Michael Sandler\Application Data\Share-to-Web Upload Folder
2006-11-22 16:39 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2006-11-22 16:39 <DIR> d-------- C:\Program Files\Hewlett-Packard
2006-11-22 16:39 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2006-11-22 16:36 <DIR> d-------- C:\Documents and Settings\Michael Sandler\Contacts
2006-11-22 16:35 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2006-11-22 16:35 <DIR> d-------- C:\Program Files\MSN Messenger
2006-11-22 16:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\yahoo!
2006-11-22 16:31 <DIR> d-------- C:\Program Files\Yahoo!
2006-11-22 11:26 <DIR> d-------- C:\New Files
2006-11-22 10:40 233,472 --a------ C:\WINDOWS\system32\Ilda32.dll
2006-11-22 10:39 304,128 --a------ C:\WINDOWS\IsUninst.exe
2006-11-22 10:39 <DIR> d-------- C:\Documents and Settings\Michael Sandler\WINDOWS
2006-11-22 09:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-11-22 09:49 <DIR> d-------- C:\Documents and Settings\Michael Sandler\Application Data\Lavasoft
2006-11-22 09:17 <DIR> d-------- C:\Documents and Settings\Michael Sandler\Application Data\LCt
2006-11-22 09:12 <DIR> d-------- C:\Documents and Settings\Michael Sandler\Application Data\ACD Systems
2006-11-22 09:10 <DIR> d-------- C:\Program Files\Common Files\ACD Systems
2006-11-22 09:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ACD Systems
2006-11-21 23:11 <DIR> d-------- C:\WINDOWS\Sun
2006-11-21 23:11 <DIR> d-------- C:\Documents and Settings\Michael Sandler\Application Data\Sun
2006-11-21 23:07 <DIR> d-------- C:\Documents and Settings\Michael Sandler\Application Data\Talkback
2006-11-21 23:07 <DIR> d-------- C:\Documents and Settings\Michael Sandler\Application Data\Mozilla
2006-11-21 22:16 <DIR> d-------- C:\Documents and Settings\Michael Sandler\Application Data\AdobeUM
2006-11-21 22:15 <DIR> d-------- C:\Documents and Settings\Michael Sandler\Application Data\Adobe
2006-11-21 21:59 1,712,128 -ra------ C:\WINDOWS\system32\gdiplus.dll
2006-11-21 21:45 <DIR> d-------- C:\Documents and Settings\Michael Sandler\Application Data\Help
2006-11-21 21:36 <DIR> d-------- C:\Program Files\PowerQuest
2006-11-21 20:17 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2006-11-21 19:56 <DIR> d-------- C:\Program Files\7-Zip
2006-11-21 19:54 <DIR> d-------- C:\Documents and Settings\Michael Sandler\Application Data\Macromedia
2006-11-21 19:45 23,808 --a------ C:\WINDOWS\system32\drivers\Dot4usb.sys
2006-11-21 19:45 207,360 --a------ C:\WINDOWS\system32\drivers\Dot4.sys
2006-11-21 19:45 12,928 --a------ C:\WINDOWS\system32\drivers\Dot4Prt.sys
2006-11-21 19:45 <DIR> d-------- C:\WINDOWS\system32\ReinstallBackups
2006-11-21 19:44 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2006-11-21 19:44 7,552 --a------ C:\WINDOWS\system32\drivers\MSKSSRV.sys
2006-11-21 19:44 5,376 --a------ C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2006-11-21 19:44 4,992 --a------ C:\WINDOWS\system32\drivers\MSPQM.sys
2006-11-21 19:44 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2006-11-21 19:44 26,496 --a------ C:\WINDOWS\system32\drivers\USBSTOR.SYS
2006-11-21 19:44 180,224 --a------ C:\WINDOWS\system32\nvudisp.exe
2006-11-21 19:44 16,128 --a------ C:\WINDOWS\system32\drivers\MODEMCSA.sys
2006-11-21 19:44 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2006-11-21 19:44 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2006-11-21 19:44 <DIR> d-------- C:\Program Files\MSXML 4.0
2006-11-21 19:44 <DIR> d-------- C:\Program Files\CONEXANT
2006-11-21 19:44 <DIR> d-------- C:\3d2a98569c44fdfb3e38181d4345
2006-11-21 19:33 23,040 --------- C:\WINDOWS\kb913800.exe
2006-11-21 19:28 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2006-11-21 19:22 <DIR> d-------- C:\Documents and Settings\Michael Sandler\Application Data\Google
2006-11-21 19:16 <DIR> dr-h----- C:\Documents and Settings\Michael Sandler\SendTo
2006-11-21 19:16 <DIR> dr-h----- C:\Documents and Settings\Michael Sandler\Recent
2006-11-21 19:16 <DIR> dr-h----- C:\Documents and Settings\Michael Sandler\Application Data\.
2006-11-21 19:16 <DIR> dr-h----- C:\Documents and Settings\Michael Sandler\Application Data
2006-11-21 19:16 <DIR> dr------- C:\Documents and Settings\Michael Sandler\Start Menu
2006-11-21 19:16 <DIR> dr------- C:\Documents and Settings\Michael Sandler\Favorites
2006-11-21 19:16 <DIR> d--h----- C:\Documents and Settings\Michael Sandler\Templates
2006-11-21 19:16 <DIR> d--h----- C:\Documents and Settings\Michael Sandler\PrintHood
2006-11-21 19:16 <DIR> d--h----- C:\Documents and Settings\Michael Sandler\NetHood
2006-11-21 19:16 <DIR> d--h----- C:\Documents and Settings\Michael Sandler\Local Settings
2006-11-21 19:16 <DIR> d--h----- C:\Documents and Settings\Michael Sandler\Application Data\Gtek
2006-11-21 19:16 <DIR> d---s---- C:\Documents and Settings\Michael Sandler\Cookies
2006-11-21 19:16 <DIR> d---s---- C:\Documents and Settings\Michael Sandler\Application Data\Microsoft
2006-11-21 19:16 <DIR> d-------- C:\Documents and Settings\Michael Sandler\Desktop
2006-11-21 19:16 <DIR> d-------- C:\Documents and Settings\Michael Sandler\Application Data\Identities
2006-11-21 19:16 <DIR> d-------- C:\Documents and Settings\Michael Sandler\Application Data\..
2006-11-21 19:16 <DIR> d-------- C:\Documents and Settings\Michael Sandler\..
2006-11-21 19:16 <DIR> d-------- C:\Documents and Settings\Michael Sandler\.
2006-11-21 19:15 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2006-11-21 19:12 <DIR> d--hs---- C:\RECYCLER
2006-11-21 19:09 <DIR> d-------- C:\Program Files\EarthLink Setup
2006-11-21 19:08 24,816 --a------ C:\WINDOWS\system32\mdimon.dll
2006-11-21 19:08 <DIR> d-------- C:\Program Files\Dell Support
2006-11-21 19:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GTek
2006-11-21 19:07 <DIR> d-------- C:\WINDOWS\SHELLNEW
2006-11-21 19:07 <DIR> d-------- C:\Program Files\Microsoft.NET
2006-11-21 19:07 <DIR> d-------- C:\Program Files\Microsoft Visual Studio
2006-11-21 19:07 <DIR> d-------- C:\Program Files\Microsoft Office
2006-11-21 19:07 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2006-11-21 19:07 <DIR> d-------- C:\Program Files\Common Files\L&H
2006-11-21 19:07 <DIR> d-------- C:\Program Files\Common Files\DESIGNER
2006-11-21 19:07 <DIR> d-------- C:\Program Files\Common Files\Adobe
2006-11-21 19:07 <DIR> d-------- C:\Program Files\Adobe
2006-11-21 19:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2006-11-21 19:06 <DIR> d-------- C:\Program Files\Sonic
2006-11-21 19:06 <DIR> d-------- C:\Program Files\Microsoft Works
2006-11-21 19:06 <DIR> d-------- C:\Program Files\Google
2006-11-21 19:06 <DIR> d-------- C:\Program Files\BAE
2006-11-21 19:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2006-11-21 19:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google
2006-11-21 19:05 94,263 --a------ C:\WINDOWS\DLA.EXE
2006-11-21 19:05 89,264 --a------ C:\WINDOWS\system32\drivers\DRVMCDB.SYS
2006-11-21 19:05 61,500 --a------ C:\WINDOWS\system32\DLAAPI_W.DLL
2006-11-21 19:05 5,628 --a------ C:\WINDOWS\system32\drivers\DLACDBHM.SYS
2006-11-21 19:05 40,544 --a------ C:\WINDOWS\system32\drivers\DRVNDDM.SYS
2006-11-21 19:05 22,684 --a------ C:\WINDOWS\system32\drivers\DLARTL_N.SYS
2006-11-21 19:05 <DIR> d-------- C:\WINDOWS\system32\DLA
2006-11-21 19:05 <DIR> d-------- C:\Program Files\Roxio
2006-11-21 19:05 <DIR> d-------- C:\Program Files\Common Files\TiVo Shared
2006-11-21 19:05 <DIR> d-------- C:\Program Files\Common Files\Roxio Shared
2006-11-21 19:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sonic
2006-11-21 19:04 <DIR> d-------- C:\WINDOWS\occache
2006-11-21 19:04 <DIR> d-------- C:\Program Files\Trend Micro
2006-11-21 19:04 <DIR> d-------- C:\Program Files\Learn2.com
2006-11-21 19:04 <DIR> d-------- C:\Program Files\Common Files\Nullsoft
2006-11-21 19:04 <DIR> d-------- C:\Program Files\AOL Companion
2006-11-21 19:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2006-11-21 19:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\QuickTime
2006-11-21 19:03 8,552 --a------ C:\WINDOWS\system32\drivers\asctrm.sys
2006-11-21 19:03 54,784 --a------ C:\WINDOWS\system32\Inetwh32.dll
2006-11-21 19:03 33,588 --a------ C:\WINDOWS\system32\drivers\wanatw4.sys
2006-11-21 19:03 225,280 --a------ C:\WINDOWS\system32\AOLDial.dll
2006-11-21 19:03 153,088 --a------ C:\WINDOWS\system32\jgdwmie.dll
2006-11-21 19:03 1,044,480 --a------ C:\WINDOWS\system32\roboex32.dll
2006-11-21 19:03 <DIR> d-------- C:\Program Files\Real
2006-11-21 19:03 <DIR> d-------- C:\Program Files\Microsoft Plus! Photo Story 2 LE
2006-11-21 19:03 <DIR> d-------- C:\Program Files\Microsoft Plus! Digital Media Edition
2006-11-21 19:03 <DIR> d-------- C:\Program Files\Common Files\Real
2006-11-21 19:03 <DIR> d-------- C:\Program Files\Common Files\aolshare
2006-11-21 19:03 <DIR> d-------- C:\Program Files\Common Files\AOL
2006-11-21 19:03 <DIR> d-------- C:\Program Files\America Online 9.0
2006-11-21 19:03 <DIR> d-------- C:\My Music
2006-11-21 19:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2006-11-21 19:02 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2006-11-21 19:02 <DIR> d-------- C:\Program Files\NetWaiting
2006-11-21 19:02 <DIR> d-------- C:\Program Files\MUSICMATCH
2006-11-21 19:02 <DIR> d-------- C:\Program Files\Modem Helper
2006-11-21 19:02 <DIR> d-------- C:\Program Files\InterActual
2006-11-21 19:02 <DIR> d-------- C:\Program Files\Digital Line Detect
2006-11-21 19:02 <DIR> d-------- C:\Program Files\Dell
2006-11-21 19:02 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared
2006-11-21 19:01 126,976 --a------ C:\WINDOWS\system32\Imsmudlg.exe
2006-11-21 19:01 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2006-11-21 19:01 <DIR> d-------- C:\WINDOWS\system32\ENU
2006-11-21 19:01 <DIR> d-------- C:\Program Files\Intel
2006-11-21 19:01 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2006-11-21 19:01 <DIR> d-------- C:\drvrtmp
2006-11-21 18:58 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2006-11-21 18:58 60,800 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys
2006-11-21 18:58 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2006-11-21 18:58 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2006-11-21 18:58 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys
2006-11-21 18:58 52,864 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2006-11-21 18:58 282,624 --a------ C:\WINDOWS\stsystra.exe
2006-11-21 18:58 28,672 --------- C:\WINDOWS\system32\verclsid.exe
2006-11-21 18:58 2,944 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys
2006-11-21 18:58 172,416 --a------ C:\WINDOWS\system32\drivers\kmixer.sys
2006-11-21 18:58 142,464 --a------ C:\WINDOWS\system32\drivers\aec.sys
2006-11-21 18:58 1,052,672 --a------ C:\WINDOWS\system32\stlang.dll
2006-11-21 18:58 <DIR> d-------- C:\Program Files\Sigmatel
2006-11-21 18:56 <DIR> d-------- C:\Program Files\Java
2006-11-21 18:56 <DIR> d-------- C:\Program Files\Common Files\Java
2006-11-21 18:54 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2006-11-18 18:00 <DIR> d-------- C:\dell
2006-11-18 17:58 90,112 --a------ C:\WINDOWS\system32\nvapi.dll
2006-11-18 17:58 90,112 --a------ C:\WINDOWS\system32\mdmxsdk.dll
2006-11-18 17:58 86,016 --a------ C:\WINDOWS\system32\nvmctray.dll
2006-11-18 17:58 81,920 --a------ C:\WINDOWS\system32\nvwddi.dll
2006-11-18 17:58 7,323,648 --a------ C:\WINDOWS\system32\nvcpl.dll
2006-11-18 17:58 680,704 --a------ C:\WINDOWS\system32\drivers\HSF_CNXT.sys
2006-11-18 17:58 56,832 --a------ C:\WINDOWS\system32\NicEtCoE.dll
2006-11-18 17:58 5,398,528 --a------ C:\WINDOWS\system32\nvoglnt.dll
2006-11-18 17:58 49,152 --a------ C:\WINDOWS\setpwrcg.exe
2006-11-18 17:58 45,056 --a------ C:\WINDOWS\system32\nvmccsrs.dll
2006-11-18 17:58 35,328 --a------ C:\WINDOWS\system32\nvcodins.dll
2006-11-18 17:58 35,328 --a------ C:\WINDOWS\system32\nvcod.dll
2006-11-18 17:58 335,872 --a------ C:\WINDOWS\system32\nvwrses.dll
2006-11-18 17:58 327,680 --a------ C:\WINDOWS\system32\nvwrsfr.dll
2006-11-18 17:58 323,584 --a------ C:\WINDOWS\system32\nvwrsit.dll
2006-11-18 17:58 32,218 --a------ C:\WINDOWS\system32\HSFCI008.dll
2006-11-18 17:58 319,488 --a------ C:\WINDOWS\system32\nvwrsptb.dll
2006-11-18 17:58 319,488 --a------ C:\WINDOWS\system32\nvwrsnl.dll
2006-11-18 17:58 311,296 --a------ C:\WINDOWS\system32\nvwrsde.dll
2006-11-18 17:58 303,104 --a------ C:\WINDOWS\system32\nvwrsfi.dll
2006-11-18 17:58 299,008 --a------ C:\WINDOWS\system32\nvwrsno.dll
2006-11-18 17:58 294,912 --a------ C:\WINDOWS\system32\nvwrssv.dll
2006-11-18 17:58 294,912 --a------ C:\WINDOWS\system32\nvwrsda.dll
2006-11-18 17:58 278,528 --a------ C:\WINDOWS\system32\nvrsfr.dll
2006-11-18 17:58 274,432 --a------ C:\WINDOWS\system32\nvrsit.dll
2006-11-18 17:58 274,432 --a------ C:\WINDOWS\system32\nvrses.dll
2006-11-18 17:58 270,336 --a------ C:\WINDOWS\system32\nvrsde.dll
2006-11-18 17:58 266,240 --a------ C:\WINDOWS\system32\nvrsnl.dll
2006-11-18 17:58 262,144 --a------ C:\WINDOWS\system32\nvrsptb.dll
2006-11-18 17:58 262,144 --a------ C:\WINDOWS\system32\nvrsja.dll
2006-11-18 17:58 258,048 --a------ C:\WINDOWS\system32\nvrsko.dll
2006-11-18 17:58 253,952 --a------ C:\WINDOWS\system32\e1000msg.dll
2006-11-18 17:58 249,856 --a------ C:\WINDOWS\system32\nvrssv.dll
2006-11-18 17:58 249,856 --a------ C:\WINDOWS\system32\nvrsno.dll
2006-11-18 17:58 249,856 --a------ C:\WINDOWS\system32\nvrsda.dll
2006-11-18 17:58 246,784 --a------ C:\WINDOWS\system32\drivers\iaStor.sys
2006-11-18 17:58 241,664 --a------ C:\WINDOWS\system32\nvrsfi.dll
2006-11-18 17:58 24,576 --a------ C:\WINDOWS\system32\DSRIRREM.EXE
2006-11-18 17:58 230,400 --a------ C:\WINDOWS\system32\drivers\e1e5132.sys
2006-11-18 17:58 229,376 --a------ C:\WINDOWS\system32\nvmccs.dll
2006-11-18 17:58 217,088 --a------ C:\WINDOWS\system32\nvrszhc.dll
2006-11-18 17:58 212,992 --a------ C:\WINDOWS\system32\nvwrsja.dll
2006-11-18 17:58 212,224 --a------ C:\WINDOWS\system32\drivers\HSFHWBS2.sys
2006-11-18 17:58 21,504 --a------ C:\WINDOWS\system32\NicCo.dll
2006-11-18 17:58 20,480 --a------ C:\WINDOWS\system32\NicInstE.dll
2006-11-18 17:58 196,608 --a------ C:\WINDOWS\system32\nvwrsko.dll
2006-11-18 17:58 167,936 --a------ C:\WINDOWS\system32\nvwrszht.dll
2006-11-18 17:58 163,840 --a------ C:\WINDOWS\system32\nvwrszhc.dll
2006-11-18 17:58 155,648 --a------ C:\WINDOWS\system32\GWSEH.dll
2006-11-18 17:58 143,427 --a------ C:\WINDOWS\system32\nvsvc32.exe
2006-11-18 17:58 126,976 --a------ C:\WINDOWS\system32\Prounstl.exe
2006-11-18 17:58 118,784 --a------ C:\WINDOWS\system32\nvrszht.dll
2006-11-18 17:58 11,043 --a------ C:\WINDOWS\system32\drivers\mdmxsdk.sys
2006-11-18 17:58 1,488 --a------ C:\WINDOWS\system32\DSR_BAT.BAT
2006-11-18 17:58 1,042,432 --a------ C:\WINDOWS\system32\drivers\HSF_DP.sys
2006-11-18 17:58 <DIR> d--hs---- C:\WINDOWS\..
2006-11-18 17:58 <DIR> d-------- C:\WINDOWS\system32\drivers\..
2006-11-18 17:58 <DIR> d-------- C:\WINDOWS\system32\drivers\.
2006-11-18 17:58 <DIR> d-------- C:\WINDOWS\system32\drivers
2006-11-18 17:58 <DIR> d-------- C:\WINDOWS\system32\..
2006-11-18 17:58 <DIR> d-------- C:\WINDOWS\system32\.
2006-11-18 17:58 <DIR> d-------- C:\WINDOWS\system32
2006-11-18 17:58 <DIR> d-------- C:\WINDOWS\.
2006-11-18 17:58 <DIR> d-------- C:\WINDOWS
2006-11-18 17:58 <DIR> d-------- C:\i386
2006-11-18 17:58 <DIR> d-------- C:\drivers
2006-11-18 17:57 985,088 --a------ C:\WINDOWS\system32\setupapi.dll
2006-11-18 17:57 208,896 --a------ C:\WINDOWS\system32\stacapi.dll
2006-11-18 17:57 112,128 --a------ C:\WINDOWS\system32\staco.dll
2006-11-18 17:57 1,156,648 --a------ C:\WINDOWS\system32\drivers\sthda.sys
2006-11-18 17:57 <DIR> d-------- C:\WINDOWS\ehome
2006-11-18 17:56 884,736 --a------ C:\WINDOWS\system32\msimsg.dll
2006-11-18 17:56 78,848 --a------ C:\WINDOWS\system32\msiexec.exe
2006-11-18 17:56 453,120 --a------ C:\WINDOWS\system32\drivers\mrxsmb.sys
2006-11-18 17:56 271,360 --a------ C:\WINDOWS\system32\msihnd.dll
2006-11-18 17:56 2,890,240 --a------ C:\WINDOWS\system32\msi.dll
2006-11-18 17:56 15,360 --a------ C:\WINDOWS\system32\msisip.dll
2006-11-18 17:56 <DIR> d-------- C:\WINDOWS\system32\oobe
2006-11-18 17:56 <DIR> d-------- C:\WINDOWS\system32\dllcache
2006-11-04 14:14 1,245,696 --a------ C:\WINDOWS\system32\msxml4.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-28 17:04 -------- d-------- C:\Program Files\Common Files
2006-11-28 09:29 -------- d-------- C:\Program Files\Internet Explorer
2006-11-22 16:54 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-11-21 19:44 -------- d-------- C:\Program Files\Windows Media Player
2006-11-21 19:07 -------- d-------- C:\Program Files\Common Files\System
2006-11-21 18:58 -------- d-------- C:\Program Files\Outlook Express
2006-11-21 18:56 -------- d-------- C:\Program Files\Messenger


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"OE_OEM"="\"C:\\Program Files\\Trend Micro\\Internet Security 12\\TMAS_OE\\TMAS_OEMon.exe\""
"Spamihilator"="\"D:\\Program Files\\Spamihilator\\spamihilator.exe\""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"SigmatelSysTrayApp"="stsystra.exe"
"IAAnotif"="C:\\Program Files\\Intel\\Intel Matrix Storage Manager\\Iaanotif.exe"
"DMXLauncher"="C:\\Program Files\\Dell\\Media Experience\\DMXLauncher.exe"
"pccguide.exe"="\"C:\\Program Files\\Trend Micro\\Internet Security 12\\pccguide.exe\""
"DLA"="C:\\WINDOWS\\System32\\DLA\\DLACTRLW.EXE"
"ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"SysMetrix"="D:\\Program Files\\SysMetrix\\SysMetrix.exe"
"Share-to-Web Namespace Daemon"="D:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
@=""
"StatusClient"="C:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Apache Tomcat 4.0\\webapps\\Toolbox\\StatusClient\\StatusClient.exe /auto"
"TomcatStartup"="C:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\hpbpsttp.exe"
"QuickTime Task"="\"D:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"!AVG Anti-Spyware"="\"D:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{827D3881-317C-442A-B4ED-F576CBA700BB}"="GW SEH Intercept"
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"="Eudora's Shell Extension"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoBandCustomize"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00
"DisableTaskMgr"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

Completion time: 06-11-29 6:09:45.61
C:\ComboFix.txt ... 06-11-29 06:09
C:\ComboFix2.txt ... 06-11-28 17:04




-----------------------------

Logfile of HijackThis v1.99.1
Scan saved at 6:12:41 AM, on 11/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
D:\Program Files\SysMetrix\SysMetrix.exe
D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
D:\Program Files\Spamihilator\spamihilator.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
D:\Program Files\Object Desktop\ObjectBar\ObjectBar.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
E:\Internet\HiJ_This\Crusty.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SysMetrix] D:\Program Files\SysMetrix\SysMetrix.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [Spamihilator] "D:\Program Files\Spamihilator\spamihilator.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Stardock ObjectBar.lnk = D:\Program Files\Object Desktop\ObjectBar\ObjectBar.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by22fd.bay22....es/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
  • 0

#15
Crustyoldbloke
Posted 29 November 2006 - 05:39 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again Michael

Your HJT log is now clean. We have some files to delete. But first some more Vundo to clear.

Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • You will receive a message saying Vundofix will close and re-open in a minute or less. Click OK.
  • When VundoFix re-opens, click Scan for Vundo button.
  • Once the scan is complete, right-click inside the listbox (white box) and click Add more files?
  • Copy & paste the 2 entries below into the top 2 boxes:
    • C:\WINDOWS\system32\mljkihh.dll
    • C:\WINDOWS\system32\hhikllm.*
    • C:\WINDOWS\system32\opnommm.dll
    • C:\WINDOWS\system32\mmmonpo.*
  • Click Add Files and click Close Window.
  • Click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES.
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a fresh HiJackThis log, from normal mode.
Please reboot into safe mode.

Firstly, please delete this folder:

C:\WINDOWS\system32\appmgmt\

Now please delete these files: (if they still exist)

C:\delrb1.reg
C:\delrb.bat
C:\WINDOWS\system32\opnommm.dll
C:\WINDOWS\system32\carfheox.dll
C:\WINDOWS\system32\mljkihh.dll

Updating Java and Clearing Cache
  • Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
  • It will say "Java Plug-in" under the icon.
    Please find the update button or tab in the Java Control Panel. Update your Java then reboot.
  • If you are unable to update you can manually update by going here:
  • After the reboot, go back into the Control Panel and double-click the Java Icon.
  • Under Temporary Internet Files, click the Delete Files button.
  • There are three options in the window to clear the cache - Leave ALL 3 CheckedDownloaded Applets
    Downloaded Applications
    Other Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Java Control Panel.
Please post the Vundofix log and confirm the deletion of the files.

How's the PC running now?
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP