Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Almost there [RESOLVED]


  • This topic is locked This topic is locked

#1
marcel

marcel

    Member

  • Member
  • PipPip
  • 45 posts
I'm trying to help a friend, who had a computer donated to him. I've removed as much malware as I could, but I believe there are still a few unwanted programs running. Here are the logs... Thanks

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:47:18 AM 1/29/2008

+ Scan result:



C:\Documents and Settings\Doug \Cookies\doug_ @2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Doug \Cookies\doug_ @pandasoftware.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
:mozilla.7:C:\Documents and Settings\Doug \Application Data\Mozilla\Firefox\Profiles\ysjsec8j.default\cookies.txt -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\Doug \Cookies\doug_ @tacoda[2].txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.6:C:\Documents and Settings\Doug \Application Data\Mozilla\Firefox\Profiles\ysjsec8j.default\cookies.txt -> TrackingCookie.Webtrends : No action taken.
C:\Documents and Settings\Doug \Cookies\doug_ @m.webtrends[1].txt -> TrackingCookie.Webtrends : No action taken.


::Report end

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/29/2008 at 01:44 PM

Application Version : 3.9.1008

Core Rules Database Version : 3390
Trace Rules Database Version: 1383

Scan type : Complete Scan
Total Scan Time : 00:57:59

Memory items scanned : 513
Memory threats detected : 0
Registry items scanned : 5213
Registry threats detected : 0
File items scanned : 60608
File threats detected : 7

Adware.Tracking Cookie
C:\Documents and Settings\Doug \Cookies\doug_ @tacoda[2].txt
C:\Documents and Settings\Doug \Cookies\doug_ @pandasoftware.112.2o7[1].txt
C:\Documents and Settings\Doug \Cookies\doug_ @atwola[1].txt
C:\Documents and Settings\Doug \Cookies\doug_ @2o7[1].txt

Trojan.ZenoSearch
C:\WINDOWS\system32\msnav32.ax

Adware.Vundo-Variant/Small-A
C:\DOCUMENTS AND SETTINGS\DOUG \LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\O07DV4UN\AF1[1].DLL

Trojan.Unknown Origin
C:\WINDOWS\SYSTEM32\__C001DC5C.DAT


Logfile of HijackThis v1.99.1
Scan saved at 5:12:06 PM, on 1/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Common Files\AOL\1167486166\ee\AOLSoftware.exe
C:\WINDOWS\system32\lcntqlwb.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Doug \Desktop\malware\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1167486166\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [NI.UGDC_0001_N122M2610] "C:\Documents and Settings\Doug \Application Data\pcpriv.exe"
O4 - HKLM\..\Run: [{B2-23-34-4C-DW}] C:\WINDOWS\system32\rwwdw64d.exe DWmhst
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\lcntqlwb.exe DWmhst
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Ultimate Cleaner] "C:\Program Files\Ultimate Cleaner\UltimateCleaner.exe" hide
O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\system32\spoolvs.exe
O4 - HKCU\..\Run: [A00FF041D.exe] C:\DOCUME~1\DOUGPE~1\LOCALS~1\Temp\_A00FF041D.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\lcntqlwb.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwdw64d.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: __c0049B17 - C:\WINDOWS\system32\__c0049B17.dat (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


Adobe Acrobat - Reader 6.0.2 Update
Adobe Flash Player 9 ActiveX
Adobe Reader 6.0.1
AOL Coach Version 1.0(Build:20040229.1 en)
AOL Uninstaller (Choose which Products to Remove)
AOLIcon
AVG Anti-Spyware 7.5
Conexant D850 56K V.9x DFVc Modem
Contraptions Demo
Corel Photo Album 6
Dell CinePlayer
Dell Digital Jukebox Driver
Dell Driver Reset Tool
DellSupport
Digital Content Portal
Digital Line Detect
EarthLink setup files
High Definition Audio Driver Package - KB835221
HijackThis 1.99.1
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hoyle Board Games 3 Demo
Hoyle Card Games 3 Demo
Hoyle Casino 5
Hoyle Word Games Demo
Intel® Graphics Media Accelerator Driver
Intel® PRO Network Connections Drivers
Intel® PROSet for Wired Connections
Java 2 Runtime Environment, SE v1.4.2_03
McAfee VirusScan Enterprise
MCU
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Microsoft .NET Framework 3.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 SR-1 Standard
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft User-Mode Driver Framework Feature Pack 1.0
Modem Helper
Mozilla Firefox (2.0.0.11)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
Musicmatch for Windows Media Player
Musicmatch® Jukebox
NetWaiting
NetZeroInstallers
Panda ActiveScan
Pinball Master
QuickTime
RealPlayer Basic
Roxio DLA
Roxio MyDVD LE
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB943460)
Sonic Activation Module
Sonic Update Manager
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB925876)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Viewpoint Media Player
WebCyberCoach 3.2 Dell
Windows Communication Foundation
Windows Imaging Component
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows Workflow Foundation
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
WordPerfect Office 12
  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#3
marcel

marcel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
ComboFix 08-02.05.3 - Doug _ 2008-02-08 12:06:52.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.164 [GMT -5:00]
Running from: C:\Documents and Settings\Doug _\My Documents\Downloads\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Doug _\Application Data\antivirus.exe
C:\Documents and Settings\Doug _\Application Data\pcpriv.exe
C:\Documents and Settings\Doug _\Start Menu\Programs\Startup\Deewoo.lnk
C:\Documents and Settings\Doug _\Start Menu\Programs\Startup\DW_Start.lnk
C:\Program Files\eliteprotector
C:\WINDOWS\system32\__c0073201.exe
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\nusrmgr.exe
C:\WINDOWS\system32\winpfz37.sys
C:\WINDOWS\system32\zxdnt3d.cfg

----- BITS: Possible infected sites -----

hxxp://www.download.windowsupdate.com
.
((((((((((((((((((((((((( Files Created from 2008-01-08 to 2008-02-08 )))))))))))))))))))))))))))))))
.

2008-01-30 16:08 . 2008-01-30 16:08 <DIR> d-------- C:\Program Files\Dell Support Center
2008-01-30 16:08 . 2008-01-30 16:08 <DIR> d-------- C:\Program Files\Common Files\supportsoft
2008-01-30 16:08 . 2008-01-30 16:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SupportSoft
2008-01-29 15:56 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-28 18:56 . 2008-01-29 16:42 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-28 18:56 . 2008-01-29 15:52 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-28 18:56 . 2008-01-29 15:52 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-28 18:56 . 2008-01-29 15:52 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-28 13:10 . 2008-01-28 13:10 <DIR> d-------- C:\Program Files\MSBuild
2008-01-28 13:06 . 2008-01-30 18:02 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-01-28 13:06 . 2008-01-28 13:06 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-01-28 13:05 . 2008-01-28 13:05 <DIR> d-------- C:\75d4bc11831baaead79a9e7c4ad4
2008-01-28 13:05 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-01-28 13:04 . 2008-01-28 13:04 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-01-28 13:04 . 2008-01-28 13:04 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-01-28 13:04 . 2006-10-04 09:06 1,197,294 --------- C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-01-28 13:04 . 2006-10-04 09:06 764,868 --------- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-01-28 13:04 . 2006-10-04 09:06 217,118 --------- C:\WINDOWS\system32\dllcache\apphelp.sdb
2008-01-28 13:03 . 2008-01-28 13:03 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-01-28 13:03 . 2008-01-28 13:03 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-01-28 13:02 . 2008-01-28 13:03 <DIR> d-------- C:\c83cae1c0288574ca6
2008-01-28 12:57 . 2006-11-13 01:02 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll
2008-01-28 12:57 . 2006-11-13 01:02 116,736 --------- C:\WINDOWS\system32\aaclient.dll
2008-01-28 12:57 . 2006-11-13 01:02 36,352 --------- C:\WINDOWS\system32\tsgqec.dll
2008-01-25 22:22 . 2008-01-26 11:37 <DIR> d-------- C:\QUARANTINE
2008-01-25 22:15 . 2008-01-25 22:15 <DIR> d-------- C:\Program Files\McAfee
2008-01-25 22:15 . 2008-01-25 22:15 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-01-25 22:15 . 2008-01-25 22:15 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems
2008-01-25 22:15 . 2008-01-25 22:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-01-25 22:15 . 2006-11-17 03:06 1,495,552 --a------ C:\WINDOWS\system32\epoPGPsdk.dll
2008-01-25 22:15 . 2006-11-30 08:50 168,776 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-01-25 22:15 . 2006-11-30 08:50 72,264 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-01-25 22:15 . 2006-11-30 08:50 64,360 --a------ C:\WINDOWS\system32\drivers\mfeapfk.sys
2008-01-25 22:15 . 2006-11-30 08:50 52,136 --a------ C:\WINDOWS\system32\drivers\mfetdik.sys
2008-01-25 22:15 . 2006-11-30 08:50 34,152 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-01-25 22:15 . 2006-11-17 03:06 280 --a------ C:\WINDOWS\system32\epoPGPsdk.dll.sig
2008-01-25 20:33 . 2008-01-29 16:35 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-25 20:33 . 2008-01-25 20:33 <DIR> d-------- C:\Documents and Settings\Doug _\Application Data\SUPERAntiSpyware.com
2008-01-25 20:33 . 2008-01-25 20:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-25 20:31 . 2008-01-25 20:31 49,186 --a------ C:\WINDOWS\system32\kpwdw64k.exe
2008-01-23 18:48 . 2008-01-25 20:33 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-23 18:18 . 2008-01-23 18:18 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-01-23 16:45 . 2008-01-29 16:35 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-01-23 16:45 . 2008-01-23 18:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-23 16:40 . 2008-01-23 16:40 200,774 --a------ C:\WINDOWS\system32\lcntqlwb.exe
2008-01-23 16:40 . 2008-01-23 16:40 49,166 --a------ C:\WINDOWS\system32\rwwdw64d.exe
2008-01-23 15:38 . 2008-01-23 15:38 <DIR> d-------- C:\Documents and Settings\Administrator.D35S28B1\Application Data\Grisoft
2008-01-23 15:26 . 2008-01-23 15:26 <DIR> d-------- C:\Documents and Settings\Doug _\Application Data\Grisoft
2008-01-23 15:26 . 2008-01-23 15:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-23 15:26 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-23 13:02 . 2006-07-18 01:30 <DIR> d-------- C:\Documents and Settings\Administrator.D35S28B1\Application Data\Symantec
2008-01-23 11:08 . 2008-01-23 11:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Dell
2008-01-22 16:32 . 2006-03-23 03:33 40,960 --a------ C:\WINDOWS\system32\lxcyvs.dll
2008-01-22 16:31 . 2007-02-22 17:31 344,064 --a------ C:\WINDOWS\system32\lxcycoin.dll
2008-01-22 16:29 . 2008-01-22 16:31 <DIR> d-------- C:\Program Files\Lexmark 3400 Series
2008-01-22 16:12 . 2006-07-18 01:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-01-16 00:23 . 2008-01-16 00:23 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-16 00:23 . 2008-01-16 00:23 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-30 21:50 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-30 21:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-30 21:33 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2008-01-29 21:32 --------- d-----w C:\Program Files\Digital Line Detect
2008-01-29 21:32 --------- d-----w C:\Program Files\DellSupport
2008-01-26 18:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-01-26 02:41 --------- d-----w C:\Program Files\Adsense Helper Object
2008-01-23 23:03 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-22 21:36 --------- d-----w C:\Program Files\Lexmark Fax Solutions
2008-01-16 05:26 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-01-16 02:07 --------- d-----w C:\Documents and Settings\Doug _\Application Data\FaxCtr
2007-12-26 22:07 --------- d-----w C:\Documents and Settings\Doug _\Application Data\AdobeUM
2007-12-26 16:45 --------- d-----w C:\Program Files\Lexmark Toolbar
2007-12-26 16:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\FaxCtr
2007-12-26 16:41 --------- d-----w C:\Program Files\Abbyy FineReader 6.0 Sprint
2007-12-11 05:14 22,943 ----a-w C:\Documents and Settings\Doug _\Application Data\info.dat
2007-11-03 07:30 11,377 ----a-w C:\Documents and Settings\Doug _\wn10077.exe
2006-07-30 21:09 5,922,952 -c--a-w C:\Program Files\640-enu-xpinfu.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09 460784]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 09:23 202544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 20:49 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 20:46 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 20:50 114688]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 17:48 32881]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 03:12 94208]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-07-18 01:27 26112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-18 01:27 98304]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 19:20 8192]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-09-08 19:20 110592]
"ISUSPM Startup"="c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 10:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44 81920]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 05:20 122940]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 07:50 71216]
"HostManager"="C:\Program Files\Common Files\AOL\1167486166\ee\AOLSoftware.exe" [2006-09-25 19:52 50736]
"{B2-23-34-4C-DW}"="C:\WINDOWS\system32\rwwdw64d.exe" [2008-01-23 16:40 49166]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2006-11-30 08:50 112216]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 13:39 136768]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 09:24 16384]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-07-18 01:24:51 24576]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 03:15:54 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c0049B17]
C:\WINDOWS\system32\__c0049B17.dat

R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe /service []

.
Contents of the 'Scheduled Tasks' folder
"2006-07-30 19:37:33 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2008-02-01 23:30:00 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (D35S28B1-Doug _).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-08 12:08:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-08 12:09:22
ComboFix-quarantined-files.txt 2008-02-08 17:09:14
.
2008-01-29 08:04:37 --- E O F ---


Logfile of HijackThis v1.99.1
Scan saved at 12:10:23 PM, on 2/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\AOL\1167486166\ee\AOLSoftware.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\WINDOWS\system32\lcntqlwb.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Doug _\Desktop\malware\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1167486166\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [{B2-23-34-4C-DW}] C:\WINDOWS\system32\rwwdw64d.exe DWmhst
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: __c0049B17 - C:\WINDOWS\system32\__c0049B17.dat (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#4
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O4 - HKLM\..\Run: [{B2-23-34-4C-DW}] C:\WINDOWS\system32\rwwdw64d.exe DWmhst
O20 - Winlogon Notify: __c0049B17 - C:\WINDOWS\system32\__c0049B17.dat (file missing)


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\kpwdw64k.exe
C:\WINDOWS\system32\lcntqlwb.exe
C:\WINDOWS\system32\rwwdw64d.exe
C:\Documents and Settings\Doug _\wn10077.exe
C:\WINDOWS\system32\rwwdw64d.exe
C:\WINDOWS\system32\__c0049B17.dat


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Reboot and post a new HijackThis log
  • 0

#5
marcel

marcel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
Logfile of HijackThis v1.99.1
Scan saved at 3:29:41 PM, on 2/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\AOL\1167486166\ee\AOLSoftware.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Documents and Settings\Doug _\Desktop\malware\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1167486166\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#6
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Can you post the ComboFix log as well
  • 0

#7
marcel

marcel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
omboFix 08-02.05.3 - Doug _ 2008-02-08 12:42:54.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.154 [GMT -5:00]
Running from: C:\Documents and Settings\Doug _\My Documents\Downloads\ComboFix.exe
Command switches used :: C:\Documents and Settings\Doug _\My Documents\Downloads\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\Documents and Settings\Doug _\wn10077.exe
C:\WINDOWS\system32\__c0049B17.dat
C:\WINDOWS\system32\kpwdw64k.exe
C:\WINDOWS\system32\lcntqlwb.exe
C:\WINDOWS\system32\rwwdw64d.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\kpwdw64k.exe
C:\WINDOWS\system32\lcntqlwb.exe
C:\WINDOWS\system32\rwwdw64d.exe

.
((((((((((((((((((((((((( Files Created from 2008-01-08 to 2008-02-08 )))))))))))))))))))))))))))))))
.

2008-02-08 12:41 . 2004-08-04 05:00 388,608 --a------ C:\kmd.exe
2008-01-30 16:08 . 2008-01-30 16:08 <DIR> d-------- C:\Program Files\Dell Support Center
2008-01-30 16:08 . 2008-01-30 16:08 <DIR> d-------- C:\Program Files\Common Files\supportsoft
2008-01-30 16:08 . 2008-01-30 16:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SupportSoft
2008-01-29 15:56 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-28 18:56 . 2008-01-29 16:42 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-28 18:56 . 2008-01-29 15:52 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-28 18:56 . 2008-01-29 15:52 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-28 18:56 . 2008-01-29 15:52 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-28 13:10 . 2008-01-28 13:10 <DIR> d-------- C:\Program Files\MSBuild
2008-01-28 13:06 . 2008-01-30 18:02 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-01-28 13:06 . 2008-01-28 13:06 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-01-28 13:05 . 2008-01-28 13:05 <DIR> d-------- C:\75d4bc11831baaead79a9e7c4ad4
2008-01-28 13:05 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-01-28 13:04 . 2008-01-28 13:04 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-01-28 13:04 . 2008-01-28 13:04 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-01-28 13:04 . 2006-10-04 09:06 1,197,294 --------- C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-01-28 13:04 . 2006-10-04 09:06 764,868 --------- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-01-28 13:04 . 2006-10-04 09:06 217,118 --------- C:\WINDOWS\system32\dllcache\apphelp.sdb
2008-01-28 13:03 . 2008-01-28 13:03 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-01-28 13:03 . 2008-01-28 13:03 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-01-28 13:02 . 2008-01-28 13:03 <DIR> d-------- C:\c83cae1c0288574ca6
2008-01-28 12:57 . 2006-11-13 01:02 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll
2008-01-28 12:57 . 2006-11-13 01:02 116,736 --------- C:\WINDOWS\system32\aaclient.dll
2008-01-28 12:57 . 2006-11-13 01:02 36,352 --------- C:\WINDOWS\system32\tsgqec.dll
2008-01-25 22:22 . 2008-01-26 11:37 <DIR> d-------- C:\QUARANTINE
2008-01-25 22:15 . 2008-01-25 22:15 <DIR> d-------- C:\Program Files\McAfee
2008-01-25 22:15 . 2008-01-25 22:15 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-01-25 22:15 . 2008-01-25 22:15 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems
2008-01-25 22:15 . 2008-01-25 22:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-01-25 22:15 . 2006-11-17 03:06 1,495,552 --a------ C:\WINDOWS\system32\epoPGPsdk.dll
2008-01-25 22:15 . 2006-11-30 08:50 168,776 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-01-25 22:15 . 2006-11-30 08:50 72,264 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-01-25 22:15 . 2006-11-30 08:50 64,360 --a------ C:\WINDOWS\system32\drivers\mfeapfk.sys
2008-01-25 22:15 . 2006-11-30 08:50 52,136 --a------ C:\WINDOWS\system32\drivers\mfetdik.sys
2008-01-25 22:15 . 2006-11-30 08:50 34,152 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-01-25 22:15 . 2006-11-17 03:06 280 --a------ C:\WINDOWS\system32\epoPGPsdk.dll.sig
2008-01-25 20:33 . 2008-01-29 16:35 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-25 20:33 . 2008-01-25 20:33 <DIR> d-------- C:\Documents and Settings\Doug _\Application Data\SUPERAntiSpyware.com
2008-01-25 20:33 . 2008-01-25 20:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-23 18:48 . 2008-01-25 20:33 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-23 18:18 . 2008-01-23 18:18 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-01-23 16:45 . 2008-01-29 16:35 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-01-23 16:45 . 2008-01-23 18:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-23 15:38 . 2008-01-23 15:38 <DIR> d-------- C:\Documents and Settings\Administrator.D35S28B1\Application Data\Grisoft
2008-01-23 15:26 . 2008-01-23 15:26 <DIR> d-------- C:\Documents and Settings\Doug _\Application Data\Grisoft
2008-01-23 15:26 . 2008-01-23 15:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-23 15:26 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-23 13:02 . 2006-07-18 01:30 <DIR> d-------- C:\Documents and Settings\Administrator.D35S28B1\Application Data\Symantec
2008-01-23 11:08 . 2008-01-23 11:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Dell
2008-01-22 16:32 . 2006-03-23 03:33 40,960 --a------ C:\WINDOWS\system32\lxcyvs.dll
2008-01-22 16:31 . 2007-02-22 17:31 344,064 --a------ C:\WINDOWS\system32\lxcycoin.dll
2008-01-22 16:29 . 2008-01-22 16:31 <DIR> d-------- C:\Program Files\Lexmark 3400 Series
2008-01-22 16:12 . 2006-07-18 01:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-01-16 00:23 . 2008-01-16 00:23 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-16 00:23 . 2008-01-16 00:23 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-30 21:50 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-30 21:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-30 21:33 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2008-01-29 21:32 --------- d-----w C:\Program Files\Digital Line Detect
2008-01-29 21:32 --------- d-----w C:\Program Files\DellSupport
2008-01-26 18:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-01-26 02:41 --------- d-----w C:\Program Files\Adsense Helper Object
2008-01-23 23:03 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-22 21:36 --------- d-----w C:\Program Files\Lexmark Fax Solutions
2008-01-16 05:26 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-01-16 02:07 --------- d-----w C:\Documents and Settings\Doug _\Application Data\FaxCtr
2007-12-26 22:07 --------- d-----w C:\Documents and Settings\Doug _\Application Data\AdobeUM
2007-12-26 16:45 --------- d-----w C:\Program Files\Lexmark Toolbar
2007-12-26 16:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\FaxCtr
2007-12-26 16:41 --------- d-----w C:\Program Files\Abbyy FineReader 6.0 Sprint
2007-12-11 05:14 22,943 ----a-w C:\Documents and Settings\Doug _\Application Data\info.dat
2007-11-03 07:30 11,377 ----a-w C:\Documents and Settings\Doug _\wn10077.exe
2006-07-30 21:09 5,922,952 -c--a-w C:\Program Files\640-enu-xpinfu.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09 460784]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 09:23 202544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 20:49 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 20:46 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 20:50 114688]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 17:48 32881]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 03:12 94208]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-07-18 01:27 26112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-18 01:27 98304]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 19:20 8192]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-09-08 19:20 110592]
"ISUSPM Startup"="c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 10:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44 81920]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 05:20 122940]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 07:50 71216]
"HostManager"="C:\Program Files\Common Files\AOL\1167486166\ee\AOLSoftware.exe" [2006-09-25 19:52 50736]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2006-11-30 08:50 112216]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 13:39 136768]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 09:24 16384]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-07-18 01:24:51 24576]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 03:15:54 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe /service []

.
Contents of the 'Scheduled Tasks' folder
"2006-07-30 19:37:33 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2008-02-01 23:30:00 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (D35S28B1-Doug _).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-08 12:44:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-08 12:44:37
ComboFix-quarantined-files.txt 2008-02-08 17:44:29
ComboFix2.txt 2008-02-08 17:09:23
.
2008-01-29 08:04:37 --- E O F ---
  • 0

#8
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\Documents and Settings\Doug _\wn10077.exe


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall





Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.


Reboot and post a new HijackThis log and tell me how your PC is running
  • 0

#9
marcel

marcel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
Logfile of HijackThis v1.99.1
Scan saved at 3:26:10 PM, on 2/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Common Files\AOL\1167486166\ee\AOLSoftware.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Doug _\Desktop\malware\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1167486166\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

It seems to be running well. I'm going to run a defrag while I await your reply.
  • 0

#10
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Can you post the ComboFix and SUPERAntiSpyware logs
  • 0

#11
marcel

marcel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/09/2008 at 03:18 PM

Application Version : 3.9.1008

Core Rules Database Version : 3399
Trace Rules Database Version: 1391

Scan type : Complete Scan
Total Scan Time : 01:03:20

Memory items scanned : 540
Memory threats detected : 0
Registry items scanned : 5268
Registry threats detected : 0
File items scanned : 65385
File threats detected : 0


ComboFix 08-02.05.3 - Doug _ 2008-02-09 14:03:21.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.168 [GMT -5:00]
Running from: C:\Documents and Settings\Doug _\My Documents\Downloads\ComboFix.exe
Command switches used :: C:\Documents and Settings\Doug _\My Documents\Downloads\cfscript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\Documents and Settings\Doug _\wn10077.exe
.

((((((((((((((((((((((((( Files Created from 2008-01-09 to 2008-02-09 )))))))))))))))))))))))))))))))
.

2008-02-08 12:42 . 2004-08-04 05:00 388,608 --a------ C:\kmd.exe
2008-01-30 16:08 . 2008-01-30 16:08 <DIR> d-------- C:\Program Files\Dell Support Center
2008-01-30 16:08 . 2008-01-30 16:08 <DIR> d-------- C:\Program Files\Common Files\supportsoft
2008-01-30 16:08 . 2008-01-30 16:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SupportSoft
2008-01-29 15:56 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-28 18:56 . 2008-01-29 16:42 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-28 18:56 . 2008-01-29 15:52 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-28 18:56 . 2008-01-29 15:52 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-28 18:56 . 2008-01-29 15:52 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-28 13:10 . 2008-01-28 13:10 <DIR> d-------- C:\Program Files\MSBuild
2008-01-28 13:06 . 2008-01-30 18:02 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-01-28 13:06 . 2008-01-28 13:06 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-01-28 13:05 . 2008-01-28 13:05 <DIR> d-------- C:\75d4bc11831baaead79a9e7c4ad4
2008-01-28 13:05 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-01-28 13:04 . 2008-01-28 13:04 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-01-28 13:04 . 2008-01-28 13:04 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-01-28 13:04 . 2006-10-04 09:06 1,197,294 --------- C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-01-28 13:04 . 2006-10-04 09:06 764,868 --------- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-01-28 13:04 . 2006-10-04 09:06 217,118 --------- C:\WINDOWS\system32\dllcache\apphelp.sdb
2008-01-28 13:03 . 2008-01-28 13:03 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-01-28 13:03 . 2008-01-28 13:03 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-01-28 13:02 . 2008-01-28 13:03 <DIR> d-------- C:\c83cae1c0288574ca6
2008-01-28 12:57 . 2006-11-13 01:02 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll
2008-01-28 12:57 . 2006-11-13 01:02 116,736 --------- C:\WINDOWS\system32\aaclient.dll
2008-01-28 12:57 . 2006-11-13 01:02 36,352 --------- C:\WINDOWS\system32\tsgqec.dll
2008-01-25 22:22 . 2008-02-09 03:02 <DIR> d-------- C:\QUARANTINE
2008-01-25 22:15 . 2008-01-25 22:15 <DIR> d-------- C:\Program Files\McAfee
2008-01-25 22:15 . 2008-01-25 22:15 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-01-25 22:15 . 2008-01-25 22:15 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems
2008-01-25 22:15 . 2008-01-25 22:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-01-25 22:15 . 2006-11-17 03:06 1,495,552 --a------ C:\WINDOWS\system32\epoPGPsdk.dll
2008-01-25 22:15 . 2006-11-30 08:50 168,776 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-01-25 22:15 . 2006-11-30 08:50 72,264 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-01-25 22:15 . 2006-11-30 08:50 64,360 --a------ C:\WINDOWS\system32\drivers\mfeapfk.sys
2008-01-25 22:15 . 2006-11-30 08:50 52,136 --a------ C:\WINDOWS\system32\drivers\mfetdik.sys
2008-01-25 22:15 . 2006-11-30 08:50 34,152 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-01-25 22:15 . 2006-11-17 03:06 280 --a------ C:\WINDOWS\system32\epoPGPsdk.dll.sig
2008-01-25 20:33 . 2008-01-29 16:35 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-25 20:33 . 2008-01-25 20:33 <DIR> d-------- C:\Documents and Settings\Doug _\Application Data\SUPERAntiSpyware.com
2008-01-25 20:33 . 2008-01-25 20:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-23 18:48 . 2008-01-25 20:33 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-23 18:18 . 2008-01-23 18:18 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-01-23 16:45 . 2008-01-29 16:35 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-01-23 16:45 . 2008-01-23 18:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-23 15:38 . 2008-01-23 15:38 <DIR> d-------- C:\Documents and Settings\Administrator.D35S28B1\Application Data\Grisoft
2008-01-23 15:26 . 2008-01-23 15:26 <DIR> d-------- C:\Documents and Settings\Doug _\Application Data\Grisoft
2008-01-23 15:26 . 2008-01-23 15:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-23 15:26 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-23 13:02 . 2006-07-18 01:30 <DIR> d-------- C:\Documents and Settings\Administrator.D35S28B1\Application Data\Symantec
2008-01-23 11:08 . 2008-01-23 11:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Dell
2008-01-22 16:32 . 2006-03-23 03:33 40,960 --a------ C:\WINDOWS\system32\lxcyvs.dll
2008-01-22 16:31 . 2007-02-22 17:31 344,064 --a------ C:\WINDOWS\system32\lxcycoin.dll
2008-01-22 16:29 . 2008-01-22 16:31 <DIR> d-------- C:\Program Files\Lexmark 3400 Series
2008-01-22 16:12 . 2006-07-18 01:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-01-16 00:23 . 2008-01-16 00:23 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-16 00:23 . 2008-01-16 00:23 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-30 21:50 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-30 21:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-30 21:33 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2008-01-29 21:32 --------- d-----w C:\Program Files\Digital Line Detect
2008-01-29 21:32 --------- d-----w C:\Program Files\DellSupport
2008-01-26 18:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-01-26 02:41 --------- d-----w C:\Program Files\Adsense Helper Object
2008-01-23 23:03 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-22 21:36 --------- d-----w C:\Program Files\Lexmark Fax Solutions
2008-01-16 05:26 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-01-16 02:07 --------- d-----w C:\Documents and Settings\Doug _\Application Data\FaxCtr
2007-12-26 22:07 --------- d-----w C:\Documents and Settings\Doug _\Application Data\AdobeUM
2007-12-26 16:45 --------- d-----w C:\Program Files\Lexmark Toolbar
2007-12-26 16:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\FaxCtr
2007-12-26 16:41 --------- d-----w C:\Program Files\Abbyy FineReader 6.0 Sprint
2007-12-11 05:14 22,943 ----a-w C:\Documents and Settings\Doug _\Application Data\info.dat
2007-11-03 07:30 11,377 ----a-w C:\Documents and Settings\Doug _\wn10077.exe
2006-07-30 21:09 5,922,952 -c--a-w C:\Program Files\640-enu-xpinfu.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09 460784]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 09:23 202544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 20:49 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 20:46 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 20:50 114688]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 17:48 32881]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 03:12 94208]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-07-18 01:27 26112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-18 01:27 98304]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 19:20 8192]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-09-08 19:20 110592]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 10:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44 81920]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 05:20 122940]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 07:50 71216]
"HostManager"="C:\Program Files\Common Files\AOL\1167486166\ee\AOLSoftware.exe" [2006-09-25 19:52 50736]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2006-11-30 08:50 112216]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 13:39 136768]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 09:24 16384]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-07-18 01:24:51 24576]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 03:15:54 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe /service []

.
Contents of the 'Scheduled Tasks' folder
"2006-07-30 19:37:33 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2008-02-08 23:30:00 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (D35S28B1-Doug _).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-09 14:05:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-09 14:05:43
ComboFix-quarantined-files.txt 2008-02-09 19:05:35
ComboFix2.txt 2008-02-08 17:44:37
ComboFix3.txt 2008-02-08 17:09:23
.
2008-01-29 08:04:37 --- E O F ---
  • 0

#12
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Your logs are clean ! We need to do a few things

Now lets uninstall Combofix:
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
The above procedure will do the following:
  • Delete ComboFix and its associated files and folders.
  • Delete VundoFix backups, if present
  • Delete the C:\Deckard folder, if present
  • Delete the C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.



You now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here


Your using an old version of Adobe Acrobat Reader, this can leave your pc open to vulnerabilities, you can update it here :
http://www.adobe.com.../readstep2.html



Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.
  • 0

#13
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP