Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

RunDLL + Regsvr32 popups when i log into my windows account [RESOLVED]

Started by stevfunn , Jan 02 2008 06:47 PM

This topic is locked

#1
stevfunn

Posted 02 January 2008 - 06:47 PM

Member

Member
17 posts

whenever i turn on my computer, i get these popups which is attached.

Here is my Hijack This log if its needed:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:44:56 AM, on 3/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\perfs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\dlcgcoms.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell AIO 810\dlcgmon.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\WINDOWS\system32\routing.exe
C:\Program Files\Crusty.exe.exe

R3 - URLSearchHook: Yahoo! μ?o?ì? - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 82.98.86.179 kanjunkai.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {39C6B6C8-E01E-3175-B583-04FDA1EE088B} - C:\Program Files\Fvfkhoqo\djvrqvgp.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - C:\WINDOWS\system32\mitpnyvo.dll (file missing)
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: {82779fa0-f445-ae3a-8494-5d31b135acdc} - {cdca531b-13d5-4948-a3ea-544f0af97728} - C:\WINDOWS\system32\ijcxqbxx.dll (file missing)
O2 - BHO: (no name) - {E64F0381-0053-4842-B3E5-08F6C4A0AEB6} - C:\WINDOWS\system32\iiklrvft.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! μ?o?ì? - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlcgmon.exe] "C:\Program Files\Dell AIO 810\dlcgmon.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [dejarchq] rundll32.exe "C:\Program Files\jknqzels\jszibapw.dll",Init
O4 - HKLM\..\Run: [axavkzeb] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\axavkzeb.dll"
O4 - HKLM\..\Run: [tkxyrclo] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\tkxyrclo.dll"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvgum.dll,startup
O4 - HKLM\..\Run: [FolderView] rundll32.exe "C:\WINDOWS\system32\bmminjjv.dll",sitypnow
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ViStart] C:\Documents and Settings\Stephen\Desktop\ViStart
O4 - HKLM\..\Policies\Explorer\Run: [vaoRPvNLfL] rundll32.exe "C:\WINDOWS\system32\ndaTqsVqrX.dll",DllCleanServer
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: ?ì3μ - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: ?ì3μ(FlashGet) - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2279B805-EA3C-4A9B-95D5-A9109CB3F452}: NameServer = 10.0.0.138
O17 - HKLM\System\CS1\Services\Tcpip\..\{2279B805-EA3C-4A9B-95D5-A9109CB3F452}: NameServer = 10.0.0.138
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: winosz32 - winosz32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: dlcg_device - - C:\WINDOWS\system32\dlcgcoms.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exe
O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 12583 bytes

Attached Thumbnails

#2
miekiemoes

Posted 03 January 2008 - 07:39 AM

Malware Expert

Member
5,503 posts

Hi,

First of all,

I understand that you need help in order to get rid of the malware that is present on your system - But you need to help us first..
I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed! I only see a Firewall installed.
This is somewhat suicidal in today's digital world.
That's why I want you to install one first!!

* Please install Avira Antivirus: http://www.free-av.com/
This is a free Antivirus.

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog.
Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.

We'll deal with the errors afterwards. It's a priority that all malware needs to get deleted first before we can deal with errors.

Also, before posting a new HijackThislog, please uninstall the Zonealarm Toolbar.
This one is NOT recommended. Please see here for more info:
http://sunbeltblog.b...uccumbs-to.html
http://thespykiller....pic,5515.0.html
http://certifiedbug.com/blog/
http://securitygarde...-zonealarm.html
http://www.bluetack....showtopic=18096
http://blogs.zdnet.com/security/?p=759

Edited by miekiemoes, 03 January 2008 - 07:41 AM.

#3
stevfunn

Posted 04 January 2008 - 12:08 AM

Member

Topic Starter
Member
17 posts

Thanks for taking the time to help me =]

First of all, included in my Zonealarm Security Suite was an anti-virus so I thought that i didnt need to include another one.

But I turned it off and installed AVira Antivirus. and I also uninstalled ZoneAlarm toolbar.

heres the report:

AntiVir PersonalEdition Classic
Report file date: Friday, 4 January 2008 13:09

Scanning for 1036370 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: SYSTEM
Computer name: WUSDELL

Version information:
BUILD.DAT : 269 15604 Bytes 2007-9-10 14:31:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 2007-8-23 03:16:29
AVSCAN.DLL : 7.0.6.0 49192 Bytes 2007-8-16 02:23:51
LUKE.DLL : 7.0.5.3 147496 Bytes 2007-8-14 05:32:47
LUKERES.DLL : 7.0.6.1 10280 Bytes 2007-8-21 02:35:20
ANTIVIR0.VDF : 6.35.0.1 7371264 Bytes 2006-5-31 02:32:40
ANTIVIR1.VDF : 6.39.0.129 7251968 Bytes 2007-7-10 02:32:46
ANTIVIR2.VDF : 6.39.1.43 1542656 Bytes 2007-8-25 07:21:02
ANTIVIR3.VDF : 6.39.1.51 29696 Bytes 2007-8-28 21:22:36
AVEWIN32.DLL : 7.6.0.5 2789888 Bytes 2007-8-29 07:09:10
AVWINLL.DLL : 1.0.0.7 14376 Bytes 2007-2-26 00:36:26
AVPREF.DLL : 7.0.2.2 25640 Bytes 2007-7-17 21:39:17
AVREP.DLL : 7.0.0.1 155688 Bytes 2007-4-16 03:16:24
AVPACK32.DLL : 7.3.0.15 360488 Bytes 2007-8-2 22:46:00
AVREG.DLL : 7.0.1.6 30760 Bytes 2007-7-17 21:17:06
AVARKT.DLL : 1.0.0.20 278568 Bytes 2007-8-28 02:26:33
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 2007-7-17 21:10:18
NETNT.DLL : 7.0.0.0 7720 Bytes 2007-3-8 01:09:42
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 2007-8-7 02:38:13
RCTEXT.DLL : 7.0.62.0 86056 Bytes 2007-8-21 02:50:37
SQLITE3.DLL : 3.3.17.1 339968 Bytes 2007-7-22 23:37:21

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: H:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Friday, 4 January 2008 13:09

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'notepad.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'jucheck.exe' - '1' Module(s) have been scanned
Scan process 'mantispm.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'DLG.exe' - '1' Module(s) have been scanned
Scan process 'daemon.exe' - '1' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned
Scan process 'msnmsgr.exe' - '1' Module(s) have been scanned
Scan process 'dlcgcoms.exe' - '1' Module(s) have been scanned
Scan process 'DSAgnt.exe' - '1' Module(s) have been scanned
Scan process 'zlclient.exe' - '0' Module(s) have been scanned
Scan process 'AAWTray.exe' - '1' Module(s) have been scanned
Scan process 'avgas.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'apdproxy.exe' - '1' Module(s) have been scanned
Scan process 'GrooveMonitor.exe' - '1' Module(s) have been scanned
Scan process 'DLCGmon.exe' - '1' Module(s) have been scanned
Scan process 'issch.exe' - '1' Module(s) have been scanned
Scan process 'DLACTRLW.EXE' - '1' Module(s) have been scanned
Scan process 'DMXLauncher.exe' - '1' Module(s) have been scanned
Scan process 'IAAnotif.exe' - '1' Module(s) have been scanned
Scan process 'stsystra.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'fxssvc.exe' - '1' Module(s) have been scanned
Scan process 'wanmpsvc.exe' - '1' Module(s) have been scanned
Scan process 'symlcsvc.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'routing.exe' - '1' Module(s) have been scanned
Scan process 'perfs.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'MDM.EXE' - '1' Module(s) have been scanned
Scan process 'IAANTmon.exe' - '1' Module(s) have been scanned
Scan process 'hnm_svc.exe' - '1' Module(s) have been scanned
Scan process 'gearsec.exe' - '1' Module(s) have been scanned
Scan process 'guard.exe' - '1' Module(s) have been scanned
Scan process 'ScanningProcess.exe' - '0' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'aawservice.exe' - '1' Module(s) have been scanned
Scan process 'ScanningProcess.exe' - '0' Module(s) have been scanned
Scan process 'vsmon.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
53 processes with 53 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!
Boot sector 'D:\'
[NOTE] No virus was found!
Boot sector 'G:\'
[NOTE] No virus was found!
Boot sector 'H:\'
[NOTE] No virus was found!

Starting to scan the registry.
The registry was scanned ( '39' files ).

Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll
[WARNING] The file could not be opened!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP152\A0025644.exe
[DETECTION] Contains detection pattern of the dropper DR/Tool.Reboot.F.19
[INFO] The file was deleted!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP173\A0028061.dll
[DETECTION] Is the Trojan horse TR/Dldr.ConHook.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP173\A0028062.dll
[DETECTION] Is the Trojan horse TR/Dldr.ConHook.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP175\A0028194.dll
[DETECTION] Is the Trojan horse TR/Dldr.ConHook.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP175\A0028195.dll
[DETECTION] Is the Trojan horse TR/Dldr.ConHook.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP175\A0028196.dll
[DETECTION] Is the Trojan horse TR/Dldr.ConHook.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP175\A0028197.dll
[DETECTION] Is the Trojan horse TR/Dldr.ConHook.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP175\A0028198.dll
[DETECTION] Is the Trojan horse TR/Dldr.ConHook.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP177\A0028368.dll
[DETECTION] Is the Trojan horse TR/Dldr.ConHook.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP177\A0028369.dll
[DETECTION] Is the Trojan horse TR/Dldr.ConHook.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP190\A0034458.exe
[DETECTION] Is the Trojan horse TR/Drop.Zlob.ADA
[INFO] The file was deleted!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP190\A0034462.exe
[DETECTION] Contains detection pattern of the dropper DR/Dyfuca.DB.1
[INFO] The file was deleted!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP190\A0034691.dll
[DETECTION] Is the Trojan horse TR/Dldr.ConHook.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP196\A0036278.dll
[DETECTION] Is the Trojan horse TR/Dldr.ConHook.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP196\A0036279.dll
[DETECTION] Is the Trojan horse TR/Dldr.ConHook.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP196\A0036280.dll
[DETECTION] Is the Trojan horse TR/Dldr.ConHook.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP196\A0036281.dll
[DETECTION] Is the Trojan horse TR/Dldr.ConHook.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP196\A0036282.dll
[DETECTION] Is the Trojan horse TR/Dldr.ConHook.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP196\A0036283.dll
[DETECTION] Is the Trojan horse TR/Dldr.ConHook.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP196\A0036284.dll
[DETECTION] Is the Trojan horse TR/Dldr.ConHook.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP196\A0036285.dll
[DETECTION] Is the Trojan horse TR/Dldr.ConHook.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP196\A0036286.dll
[DETECTION] Is the Trojan horse TR/Dldr.ConHook.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP196\A0036287.dll
[DETECTION] Is the Trojan horse TR/Dldr.ConHook.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP196\A0036288.dll
[DETECTION] Is the Trojan horse TR/Dldr.ConHook.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP196\A0036289.dll
[DETECTION] Is the Trojan horse TR/Dldr.ConHook.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP196\A0036290.dll
[DETECTION] Is the Trojan horse TR/Dldr.ConHook.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP196\A0036291.dll
[DETECTION] Is the Trojan horse TR/Dldr.ConHook.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP196\A0036292.dll
[DETECTION] Is the Trojan horse TR/Dldr.ConHook.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP196\A0036293.dll
[DETECTION] Is the Trojan horse TR/Dldr.ConHook.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP196\A0036294.dll
[DETECTION] Is the Trojan horse TR/Dldr.ConHook.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP196\A0036295.dll
[DETECTION] Contains detection pattern of the Windows virus W95/Blumblebee.1738
[INFO] The file was deleted!
C:\WINDOWS\system32\drivers\sptd.sys
[WARNING] The file could not be opened!
Begin scan in 'D:\' <Backup>
Begin scan in 'G:\'
Search path G:\ could not be opened!
The system cannot find the path specified.

Begin scan in 'H:\'
Search path H:\ could not be opened!
The system cannot find the path specified.

End of the scan: Friday, 4 January 2008 14:51
Used time: 1:41:51 min

The scan has been done completely.

7596 Scanning directories
405006 Files were scanned
31 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
31 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
4 Files cannot be scanned
404975 Files not concerned
4990 Archives were scanned
4 Warnings
3 Notes

And Heres my Hijack This Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:06:45 PM, on 4/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\perfs.exe
C:\WINDOWS\system32\routing.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell AIO 810\dlcgmon.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\dlcgcoms.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avcenter.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Crusty.exe.exe

R3 - URLSearchHook: Yahoo! μ?o?ì? - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 82.98.86.179 kanjunkai.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {39C6B6C8-E01E-3175-B583-04FDA1EE088B} - C:\Program Files\Fvfkhoqo\djvrqvgp.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - C:\WINDOWS\system32\mitpnyvo.dll (file missing)
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: {82779fa0-f445-ae3a-8494-5d31b135acdc} - {cdca531b-13d5-4948-a3ea-544f0af97728} - C:\WINDOWS\system32\ijcxqbxx.dll (file missing)
O2 - BHO: (no name) - {E64F0381-0053-4842-B3E5-08F6C4A0AEB6} - C:\WINDOWS\system32\iiklrvft.dll (file missing)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! μ?o?ì? - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlcgmon.exe] "C:\Program Files\Dell AIO 810\dlcgmon.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [dejarchq] rundll32.exe "C:\Program Files\jknqzels\jszibapw.dll",Init
O4 - HKLM\..\Run: [axavkzeb] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\axavkzeb.dll"
O4 - HKLM\..\Run: [tkxyrclo] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\tkxyrclo.dll"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvgum.dll,startup
O4 - HKLM\..\Run: [FolderView] rundll32.exe "C:\WINDOWS\system32\bmminjjv.dll",sitypnow
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ViStart] C:\Documents and Settings\Stephen\Desktop\ViStart
O4 - HKLM\..\Policies\Explorer\Run: [vaoRPvNLfL] rundll32.exe "C:\WINDOWS\system32\ndaTqsVqrX.dll",DllCleanServer
O4 - HKLM\..\Policies\Explorer\Run: [y3X5yym6tm] rundll32.exe "C:\WINDOWS\system32\ndaTqsVqrX.dll",DllCleanServer
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: ?ì3μ - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: ?ì3μ(FlashGet) - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2279B805-EA3C-4A9B-95D5-A9109CB3F452}: NameServer = 10.0.0.138
O17 - HKLM\System\CS1\Services\Tcpip\..\{2279B805-EA3C-4A9B-95D5-A9109CB3F452}: NameServer = 10.0.0.138
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: winosz32 - winosz32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: dlcg_device - - C:\WINDOWS\system32\dlcgcoms.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exe
O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 13053 bytes

#4
miekiemoes

Posted 04 January 2008 - 12:50 AM

Malware Expert

Member
5,503 posts

Hi,

First of all, included in my Zonealarm Security Suite was an anti-virus so I thought that i didnt need to include another one.

Yes, but you installed the Trial version - this means you'll have to pay for the full version in case you want to use the Antivirus Feature. I rather make people aware of this instead of using the trial version, because once the trial expires, it won't protect against malware anymore. That's why you need another Antivirus.

And as I said, I do not recommend Zonealarm anymore. The free version of the firewall is poor and the fact that it now bundles the ask toolbar makes it unwanted.

Anyway, do next please...

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O2 - BHO: (no name) - {39C6B6C8-E01E-3175-B583-04FDA1EE088B} - C:\Program Files\Fvfkhoqo\djvrqvgp.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - C:\WINDOWS\system32\mitpnyvo.dll (file missing)
O2 - BHO: {82779fa0-f445-ae3a-8494-5d31b135acdc} - {cdca531b-13d5-4948-a3ea-544f0af97728} - C:\WINDOWS\system32\ijcxqbxx.dll (file missing)
O2 - BHO: (no name) - {E64F0381-0053-4842-B3E5-08F6C4A0AEB6} - C:\WINDOWS\system32\iiklrvft.dll (file missing)
O4 - HKLM\..\Run: [dejarchq] rundll32.exe "C:\Program Files\jknqzels\jszibapw.dll",Init
O4 - HKLM\..\Run: [axavkzeb] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\axavkzeb.dll"
O4 - HKLM\..\Run: [tkxyrclo] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\tkxyrclo.dll"
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvgum.dll,startup
O4 - HKLM\..\Run: [FolderView] rundll32.exe "C:\WINDOWS\system32\bmminjjv.dll",sitypnow
O4 - HKCU\..\Run: [ViStart] C:\Documents and Settings\Stephen\Desktop\ViStart
O4 - HKLM\..\Policies\Explorer\Run: [vaoRPvNLfL] rundll32.exe "C:\WINDOWS\system32\ndaTqsVqrX.dll",DllCleanServer
O4 - HKLM\..\Policies\Explorer\Run: [y3X5yym6tm] rundll32.exe "C:\WINDOWS\system32\ndaTqsVqrX.dll",DllCleanServer
O20 - Winlogon Notify: winosz32 - winosz32.dll (file missing)
O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exe
O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exe

* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Then, * Download ComboFix from here.
**Save it to your desktop**

In case you have used Combofix before, please delete the version you are having and redownload it again, because Combofix is being updated everyday.

In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix, please disable your scanner and redownload Combofix again. Because some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

* Doubleclick combofix.exe
Follow the prompts.
Note - Your internet connection will be terminated while ComboFix runs. Do Not attempt to re-enable it. Should ComboFix terminate prematurely, restart the computer to restore connectivity.
Don't click on the window while the fix is running, because that will cause your system to hang.
In case you see a sed.cfexe error with the option to send a report or not, choose "don't send".

When finished and after reboot (in case it rebooted), combofix will open again to gather the necessary information for the log. This may take a bit. When done, Combofix will close and a log should open, combofix.txt.
Post the contents of this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

#5
stevfunn

Posted 04 January 2008 - 02:26 AM

Member

Topic Starter
Member
17 posts

I've done what you told me and fixed those items in Hijack this and used Combofix.

Combofix log (it says Completion time: 2008-01-04 18:50:09
ComboFix-quarantined-files.txt 2008-01-04 07:50:04) so I'm not sure if its the quarantined files thing)
but it was the only notepad file open when combofix finished.
.

ComboFix 08-01-04.1 - Stephen 2008-01-04 18:44:57.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.936.86.1033.18.541 [GMT 11:00]
Running from: C:\Documents and Settings\Stephen\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\SecCenter
C:\Program Files\SecCenter\scprot4.exe
C:\WINDOWS\2.exe
C:\WINDOWS\PerfInfo
C:\WINDOWS\PerfInfo\vaoRPvNLfLuc.exe
C:\WINDOWS\PerfInfo\vaoRPvNLfLud.exe
C:\WINDOWS\PerfInfo\y3X5yym6tmuc.exe
C:\WINDOWS\PerfInfo\y3X5yym6tmud.exe
C:\WINDOWS\ppqvmpqr
C:\WINDOWS\ppqvmpqr\1.png
C:\WINDOWS\ppqvmpqr\2.png
C:\WINDOWS\ppqvmpqr\3.png
C:\WINDOWS\ppqvmpqr\4.png
C:\WINDOWS\ppqvmpqr\5.png
C:\WINDOWS\ppqvmpqr\6.png
C:\WINDOWS\ppqvmpqr\bottom-rc.gif
C:\WINDOWS\ppqvmpqr\content.png
C:\WINDOWS\ppqvmpqr\download.gif
C:\WINDOWS\ppqvmpqr\frame-bottom-left.gif
C:\WINDOWS\ppqvmpqr\frame-h1bg.gif
C:\WINDOWS\ppqvmpqr\head.png
C:\WINDOWS\ppqvmpqr\indexuc.html
C:\WINDOWS\ppqvmpqr\indexud.html
C:\WINDOWS\ppqvmpqr\main.css
C:\WINDOWS\ppqvmpqr\net.png
C:\WINDOWS\ppqvmpqr\pc-mag.gif
C:\WINDOWS\ppqvmpqr\pc.gif
C:\WINDOWS\ppqvmpqr\poloska1.png
C:\WINDOWS\ppqvmpqr\poloska2.png
C:\WINDOWS\ppqvmpqr\poloska3.png
C:\WINDOWS\ppqvmpqr\promouc1.html
C:\WINDOWS\ppqvmpqr\promouc2.html
C:\WINDOWS\ppqvmpqr\promouc3.html
C:\WINDOWS\ppqvmpqr\promouc4.html
C:\WINDOWS\ppqvmpqr\promouc5.html
C:\WINDOWS\ppqvmpqr\promoud1.html
C:\WINDOWS\ppqvmpqr\promoud2.html
C:\WINDOWS\ppqvmpqr\promoud3.html
C:\WINDOWS\ppqvmpqr\promoud4.html
C:\WINDOWS\ppqvmpqr\promoud5.html
C:\WINDOWS\ppqvmpqr\reg.png
C:\WINDOWS\ppqvmpqr\repair.png
C:\WINDOWS\ppqvmpqr\scr-1.png
C:\WINDOWS\ppqvmpqr\scr-2.png
C:\WINDOWS\ppqvmpqr\styles.css
C:\WINDOWS\ppqvmpqr\top-rc.gif
C:\WINDOWS\ppqvmpqr\vline.gif
C:\WINDOWS\system32\bfeguufo
C:\WINDOWS\system32\bfeguufo\bfeguufo1.exe
C:\WINDOWS\system32\bfeguufo\bfeguufo3.exe
C:\WINDOWS\system32\bfeguufo\bg1.gif
C:\WINDOWS\system32\bfeguufo\bgtop.gif
C:\WINDOWS\system32\bfeguufo\bottom1.gif
C:\WINDOWS\system32\bfeguufo\essentials.gif
C:\WINDOWS\system32\bfeguufo\icon1.ico
C:\WINDOWS\system32\bfeguufo\install1.gif
C:\WINDOWS\system32\bfeguufo\left1.gif
C:\WINDOWS\system32\bfeguufo\li.gif
C:\WINDOWS\system32\bfeguufo\logo.gif
C:\WINDOWS\system32\bfeguufo\main.htm
C:\WINDOWS\system32\bfeguufo\mainframe.htm
C:\WINDOWS\system32\bfeguufo\reinstall1.gif
C:\WINDOWS\system32\bfeguufo\right1.gif
C:\WINDOWS\system32\bfeguufo\s1.htm
C:\WINDOWS\system32\bfeguufo\s2.htm
C:\WINDOWS\system32\bfeguufo\s3.htm
C:\WINDOWS\system32\bfeguufo\SMTop1.gif
C:\WINDOWS\system32\bfeguufo\SMTop2.gif
C:\WINDOWS\system32\bfeguufo\SMTop3.gif
C:\WINDOWS\system32\bfeguufo\SMTop4.gif
C:\WINDOWS\system32\bfeguufo\soft1_off.gif
C:\WINDOWS\system32\bfeguufo\soft1_off_ext.gif
C:\WINDOWS\system32\bfeguufo\soft1_on.gif
C:\WINDOWS\system32\bfeguufo\soft1_on_ext.gif
C:\WINDOWS\system32\bfeguufo\soft2_off.gif
C:\WINDOWS\system32\bfeguufo\soft2_off_ext.gif
C:\WINDOWS\system32\bfeguufo\soft2_on.gif
C:\WINDOWS\system32\bfeguufo\soft2_on_ext.gif
C:\WINDOWS\system32\bfeguufo\soft3_off.gif
C:\WINDOWS\system32\bfeguufo\soft3_off_ext.gif
C:\WINDOWS\system32\bfeguufo\soft3_on.gif
C:\WINDOWS\system32\bfeguufo\soft3_on_ext.gif
C:\WINDOWS\system32\bfeguufo\softbottom_off.gif
C:\WINDOWS\system32\bfeguufo\softbottom_on.gif
C:\WINDOWS\system32\bfeguufo\softleft_off.gif
C:\WINDOWS\system32\bfeguufo\softleft_on.gif
C:\WINDOWS\system32\bfeguufo\top1.gif
C:\WINDOWS\system32\bfeguufo\top2.gif
C:\WINDOWS\system32\bfeguufo\turnoff1.gif
C:\WINDOWS\system32\bfeguufo\turnon1.gif
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\ndaTqsVqrX.dll
C:\WINDOWS\system32\qrqss.bak1
C:\WINDOWS\system32\qrqss.bak2
C:\WINDOWS\system32\qrqss.ini

.
((((((((((((((((((((((((( Files Created from 2007-12-04 to 2008-01-04 )))))))))))))))))))))))))))))))
.

2008-01-04 18:44 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-04 18:37 . 2008-01-04 18:37 <DIR> d-------- C:\Program Files\backups
2008-01-04 13:01 . 2008-01-04 13:01 <DIR> d-------- C:\Program Files\Avira
2008-01-04 13:01 . 2008-01-04 13:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-01-03 11:32 . 2008-01-03 11:32 32,256 --a------ C:\WINDOWS\system32\routing.exe
2008-01-02 00:26 . 2008-01-02 00:26 45,056 --a------ C:\WINDOWS\system32\Indt2.sys
2008-01-01 10:42 . 2008-01-01 10:42 <DIR> d-------- C:\Documents and Settings\Ann\Application Data\MailFrontier
2007-12-28 15:54 . 2008-01-04 11:15 796 --a------ C:\rollback.ini
2007-12-28 15:36 . 2007-12-28 15:36 <DIR> d-------- C:\Documents and Settings\Stephen\Application Data\MailFrontier
2007-12-28 14:28 . 2007-12-28 14:28 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-12-28 14:00 . 2007-12-28 14:00 <DIR> d-------- C:\Documents and Settings\Alan\Application Data\MailFrontier
2007-12-28 02:26 . 2008-01-04 18:48 12,420,384 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-28 02:26 . 2008-01-04 15:16 169,904 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-28 01:57 . 2007-12-28 15:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-12-28 01:57 . 2007-11-14 16:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2007-12-28 01:57 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-12-28 01:57 . 2008-01-04 15:17 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-12-28 01:30 . 2007-12-28 01:38 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-12-28 01:30 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2007-12-27 12:22 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2007-12-27 01:06 . 2008-01-04 13:06 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-12-27 01:06 . 2007-12-27 01:06 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-12-27 01:06 . 2007-12-27 01:06 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-12-27 01:06 . 2007-12-27 01:06 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-12-12 22:54 . 2007-12-12 22:54 127 --a------ C:\WINDOWS\system32\MRT.INI
2007-12-10 20:02 . 2007-12-24 11:09 1,794 --ahs---- C:\WINDOWS\system32\nmnitbji.ini
2007-12-09 20:05 . 2007-12-09 20:05 474 --ahs---- C:\WINDOWS\system32\ojnaopcj.ini
2007-12-07 23:55 . 2007-12-07 23:55 0 --a------ C:\WINDOWS\system32\history.aaw
2007-12-07 19:45 . 2007-12-09 19:59 414 --ahs---- C:\WINDOWS\system32\fjotaadm.ini
2007-12-06 19:50 . 2007-12-06 19:50 294 --ahs---- C:\WINDOWS\system32\wupxohgv.ini
2007-12-04 22:51 . 2007-12-04 22:51 714 --ahs---- C:\WINDOWS\system32\vuckvmfq.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-04 07:30 12,915 ----a-w C:\Program Files\hijackthis.log
2007-12-28 04:42 --------- d-----w C:\Program Files\FlashGet
2007-12-28 04:35 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-27 02:12 --------- d-----w C:\Program Files\WinAVI Video Converter
2007-12-27 02:08 --------- d-----w C:\Program Files\MSN Messenger
2007-12-27 02:03 --------- d-----w C:\Program Files\Google
2007-12-27 02:02 --------- d-----w C:\Program Files\Digital Line Detect
2007-12-27 02:02 --------- d-----w C:\Program Files\Dell Support
2007-12-27 02:02 --------- d-----w C:\Program Files\Dell Network Assistant
2007-12-27 02:02 --------- d-----w C:\Program Files\Dell AIO 810
2007-12-27 02:02 --------- d-----w C:\Program Files\DAEMON Tools
2007-12-27 01:59 --------- d-----w C:\Program Files\BAE
2007-12-27 01:59 --------- d-----w C:\Program Files\Afwcktmf
2007-12-27 01:39 --------- d-----w C:\Documents and Settings\Stephen\Application Data\Symantec
2007-12-27 01:20 --------- d-----w C:\Program Files\The KMPlayer
2007-12-24 14:21 --------- d-----w C:\Program Files\jknqzels
2007-12-24 14:21 --------- d-----w C:\Program Files\Fvfkhoqo
2007-12-24 13:13 --------- d-----w C:\Program Files\Gzetqiux
2007-12-24 13:01 253,440 ----a-w C:\WINDOWS\system32\ndt2.sys
2007-12-21 02:47 --------- d-----w C:\Program Files\Dl_cats
2007-12-15 11:59 --------- d-----w C:\Program Files\Valve
2007-12-15 00:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-02 12:32 --------- d-----w C:\Program Files\DVDInfoPro
2007-12-02 12:12 --------- d-----w C:\Documents and Settings\Stephen\Application Data\CopyToDvd
2007-12-02 11:45 --------- d-----w C:\Program Files\DVDlabStudio
2007-11-28 08:58 --------- d-----w C:\Program Files\Easy Graphic Converter
2007-11-28 05:39 --------- d-----w C:\Documents and Settings\Stephen\Application Data\Sony
2007-11-28 05:39 --------- d-----w C:\Documents and Settings\Stephen\Application Data\Publish Providers
2007-11-28 05:21 --------- d-----w C:\Program Files\VSTPlugins
2007-11-28 05:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony
2007-11-28 05:20 --------- d-----w C:\Program Files\Sony Setup
2007-11-28 05:20 --------- d-----w C:\Program Files\Sony
2007-11-25 11:32 35,936 ----a-w C:\WINDOWS\system32\drivers\Pcouffin.sys
2007-11-25 11:32 --------- d-----w C:\Program Files\vso
2007-11-25 04:06 --------- d-----w C:\Documents and Settings\Stephen\Application Data\ArcSoft
2007-11-20 12:16 --------- d-----w C:\Program Files\Abbyy FineReader 6.0 Sprint
2007-11-19 09:17 --------- d-----w C:\Documents and Settings\Alan\Application Data\Sonic
2007-11-18 00:03 --------- d-----w C:\Program Files\MP3Gain
2007-11-15 05:35 --------- d-----w C:\Documents and Settings\Stephen\Application Data\Media Player Classic
2007-11-14 07:26 450,560 ------w C:\WINDOWS\system32\dllcache\jscript.dll
2007-11-14 05:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-12 07:27 --------- d-----w C:\Documents and Settings\Stephen\Application Data\GRETECH
2007-11-11 22:44 --------- d-----w C:\Program Files\Real Alternative
2007-11-11 22:44 --------- d-----w C:\Documents and Settings\Alan\Application Data\Media Player Classic
2007-11-11 22:34 --------- d-----w C:\Program Files\GRETECH
2007-11-08 19:38 --------- d-----w C:\Documents and Settings\Ann\Application Data\Grisoft
2007-11-05 07:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-10-30 09:55 3,065,856 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-27 06:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 06:40 222,720 ------w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-11 05:57 96,256 ------w C:\WINDOWS\system32\dllcache\inseng.dll
2007-10-11 05:57 666,112 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-11 05:57 617,984 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-11 05:57 55,808 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-11 05:57 532,480 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-11 05:57 474,112 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-10-11 05:57 449,024 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-11 05:57 39,424 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-10-11 05:57 357,888 ------w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-10-11 05:57 251,904 ------w C:\WINDOWS\system32\dllcache\iepeers.dll
2007-10-11 05:57 205,824 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-11 05:57 16,384 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-11 05:57 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-10-11 05:57 146,432 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-11 05:57 1,498,112 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-10-11 05:57 1,054,208 ------w C:\WINDOWS\system32\dllcache\danim.dll
2007-10-11 05:57 1,024,000 ------w C:\WINDOWS\system32\dllcache\browseui.dll
2007-10-10 10:48 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2007-09-08 04:34 12,413,440 ----a-w C:\Program Files\avgas-setup-7.5.1.43.exe
2007-09-08 04:24 401,720 ----a-w C:\Program Files\Crusty.exe.exe
2007-08-30 08:37 6,456 --sha-w C:\WINDOWS\system32\oqstv.bak1
2007-09-08 03:29 993,804 --sha-w C:\WINDOWS\system32\oqstv.bak2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2006-08-29 00:57 395776]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:54 5674352]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-18 20:07 68856]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-08-16 22:24 167368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-16 11:39 7323648]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 08:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 08:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 08:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 08:00 455168]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 16:03 36975]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 13:20 282624 C:\WINDOWS\stsystra.exe]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 10:15 151552]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 06:12 94208]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 08:20 122940]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 19:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 19:50 81920]
"DLCGCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCGtime.dll" [2005-09-08 01:56 73728]
"dlcgmon.exe"="C:\Program Files\Dell AIO 810\dlcgmon.exe" [2005-10-20 22:42 425984]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 01:47 31016]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 12:09 63712]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 20:25 6731312]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 16:53 88024]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-08-31 12:25 249896]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-05-31 11:07:35]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)
"NoMovingBands"= 0 (0x0)
"NoCloseDragDropBands"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 7.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL 7.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\AOL 7.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Network Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Dell Network Assistant.lnk
backup=C:\WINDOWS\pss\Dell Network Assistant.lnkCommon Startup

R2 perfmons;perfmons Service;C:\WINDOWS\system32\perfs.exe [2004-08-04 08:00]
R2 Routing;Routing Service;C:\WINDOWS\system32\routing.exe [2008-01-03 11:32]
S1 vcdrom;Virtual CD-ROM Device Driver;C:\Documents and Settings\Stephen\Desktop\VCdRom.sys []
S3 k600bus;Sony Ericsson 600i driver (WDM);C:\WINDOWS\system32\DRIVERS\k600bus.sys [2005-05-11 22:12]
S3 k600mdfl;Sony Ericsson 600i USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\k600mdfl.sys [2005-05-11 22:12]
S3 k600mdm;Sony Ericsson 600i USB WMC Modem Drivers;C:\WINDOWS\system32\DRIVERS\k600mdm.sys [2005-05-11 22:12]
S3 k600mgmt;Sony Ericsson 600i USB WMC Device Management Drivers;C:\WINDOWS\system32\DRIVERS\k600mgmt.sys [2005-05-11 22:12]
S3 k600obex;Sony Ericsson 600i USB WMC OBEX Interface Drivers;C:\WINDOWS\system32\DRIVERS\k600obex.sys [2005-03-04 20:15]
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2006-06-05 06:39]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{36b02f06-1f96-11dc-b67e-00038a000015}]
\Shell\AutoRun\command - F:\Installer.exe

*Newly Created Service* - PROCEXP90
*Newly Created Service* - SSMDRV
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-04 18:49:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-04 18:50:09
ComboFix-quarantined-files.txt 2008-01-04 07:50:04
.
2007-12-25 14:53:06 --- E O F ---

and my new Hijack This log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:22:43 PM, on 4/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\perfs.exe
C:\WINDOWS\system32\routing.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell AIO 810\dlcgmon.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\dlcgcoms.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Crusty.exe.exe

R3 - URLSearchHook: Yahoo! μ?o?ì? - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 91.184.6.104 pagead2.googlesyndication.com
O1 - Hosts: 82.98.86.179 kanjunkai.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! μ?o?ì? - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlcgmon.exe] "C:\Program Files\Dell AIO 810\dlcgmon.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: ?ì3μ - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: ?ì3μ(FlashGet) - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2279B805-EA3C-4A9B-95D5-A9109CB3F452}: NameServer = 10.0.0.138
O17 - HKLM\System\CS1\Services\Tcpip\..\{2279B805-EA3C-4A9B-95D5-A9109CB3F452}: NameServer = 10.0.0.138
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: dlcg_device - - C:\WINDOWS\system32\dlcgcoms.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exe
O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 11480 bytes

#6
miekiemoes

Posted 04 January 2008 - 02:36 AM

Malware Expert

Member
5,503 posts

Hi,

Normally, most Rundll32 errors should be gone now, but we're not finished yet..

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\perfs.exe
C:\WINDOWS\system32\routing.exe
C:\WINDOWS\system32\Indt2.sys
C:\WINDOWS\system32\nmnitbji.ini
C:\WINDOWS\system32\ojnaopcj.ini
C:\WINDOWS\system32\history.aaw
C:\WINDOWS\system32\fjotaadm.ini
C:\WINDOWS\system32\wupxohgv.ini
C:\WINDOWS\system32\vuckvmfq.ini
C:\WINDOWS\system32\ndt2.sys
C:\WINDOWS\system32\oqstv.bak1
C:\WINDOWS\system32\oqstv.bak2

Folder::
C:\Program Files\Afwcktmf
C:\Program Files\jknqzels
C:\Program Files\Fvfkhoqo
C:\Program Files\Gzetqiux

Driver::
Routing
perfmons

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

#7
stevfunn

Posted 04 January 2008 - 03:37 AM

Member

Topic Starter
Member
17 posts

Hey

I've done everything you told me to do.

Hers the contetnes of Combofix.txt:

ComboFix 08-01-04.1 - Stephen 2008-01-04 20:19:53.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.936.86.1033.18.529 [GMT 11:00]
Running from: C:\Documents and Settings\Stephen\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Stephen\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\fjotaadm.ini
C:\WINDOWS\system32\history.aaw
C:\WINDOWS\system32\Indt2.sys
C:\WINDOWS\system32\ndt2.sys
C:\WINDOWS\system32\nmnitbji.ini
C:\WINDOWS\system32\ojnaopcj.ini
C:\WINDOWS\system32\oqstv.bak1
C:\WINDOWS\system32\oqstv.bak2
C:\WINDOWS\system32\perfs.exe
C:\WINDOWS\system32\routing.exe
C:\WINDOWS\system32\vuckvmfq.ini
C:\WINDOWS\system32\wupxohgv.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Afwcktmf
C:\Program Files\Fvfkhoqo
C:\Program Files\Gzetqiux
C:\Program Files\jknqzels
C:\WINDOWS\system32\fjotaadm.ini
C:\WINDOWS\system32\history.aaw
C:\WINDOWS\system32\Indt2.sys
C:\WINDOWS\system32\ndt2.sys
C:\WINDOWS\system32\nmnitbji.ini
C:\WINDOWS\system32\ojnaopcj.ini
C:\WINDOWS\system32\oqstv.bak1
C:\WINDOWS\system32\oqstv.bak2
C:\WINDOWS\system32\perfs.exe
C:\WINDOWS\system32\routing.exe
C:\WINDOWS\system32\vuckvmfq.ini
C:\WINDOWS\system32\wupxohgv.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_PERFMONS
-------\LEGACY_ROUTING
-------\perfmons
-------\Routing

((((((((((((((((((((((((( Files Created from 2007-12-04 to 2008-01-04 )))))))))))))))))))))))))))))))
.

2008-01-04 18:44 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-04 18:37 . 2008-01-04 18:37 <DIR> d-------- C:\Program Files\backups
2008-01-04 13:01 . 2008-01-04 13:01 <DIR> d-------- C:\Program Files\Avira
2008-01-04 13:01 . 2008-01-04 13:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-01-01 10:42 . 2008-01-01 10:42 <DIR> d-------- C:\Documents and Settings\Ann\Application Data\MailFrontier
2007-12-28 15:54 . 2008-01-04 11:15 796 --a------ C:\rollback.ini
2007-12-28 15:36 . 2007-12-28 15:36 <DIR> d-------- C:\Documents and Settings\Stephen\Application Data\MailFrontier
2007-12-28 14:28 . 2007-12-28 14:28 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-12-28 14:00 . 2007-12-28 14:00 <DIR> d-------- C:\Documents and Settings\Alan\Application Data\MailFrontier
2007-12-28 02:26 . 2008-01-04 20:26 12,456,224 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-28 02:26 . 2008-01-04 20:24 170,984 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-28 01:57 . 2007-12-28 15:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-12-28 01:57 . 2007-11-14 16:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2007-12-28 01:57 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-12-28 01:57 . 2008-01-04 20:25 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-12-28 01:30 . 2007-12-28 01:38 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-12-28 01:30 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2007-12-27 12:22 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2007-12-27 01:06 . 2008-01-04 13:06 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-12-27 01:06 . 2007-12-27 01:06 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-12-27 01:06 . 2007-12-27 01:06 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-12-27 01:06 . 2007-12-27 01:06 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-12-12 22:54 . 2007-12-12 22:54 127 --a------ C:\WINDOWS\system32\MRT.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-04 08:23 11,490 ----a-w C:\Program Files\hijackthis1.txt
2008-01-04 08:22 11,490 ----a-w C:\Program Files\hijackthis.log
2007-12-28 04:42 --------- d-----w C:\Program Files\FlashGet
2007-12-28 04:35 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-27 02:12 --------- d-----w C:\Program Files\WinAVI Video Converter
2007-12-27 02:08 --------- d-----w C:\Program Files\MSN Messenger
2007-12-27 02:03 --------- d-----w C:\Program Files\Google
2007-12-27 02:02 --------- d-----w C:\Program Files\Digital Line Detect
2007-12-27 02:02 --------- d-----w C:\Program Files\Dell Support
2007-12-27 02:02 --------- d-----w C:\Program Files\Dell Network Assistant
2007-12-27 02:02 --------- d-----w C:\Program Files\Dell AIO 810
2007-12-27 02:02 --------- d-----w C:\Program Files\DAEMON Tools
2007-12-27 01:59 --------- d-----w C:\Program Files\BAE
2007-12-27 01:39 --------- d-----w C:\Documents and Settings\Stephen\Application Data\Symantec
2007-12-27 01:20 --------- d-----w C:\Program Files\The KMPlayer
2007-12-21 02:47 --------- d-----w C:\Program Files\Dl_cats
2007-12-15 11:59 --------- d-----w C:\Program Files\Valve
2007-12-15 00:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-02 12:32 --------- d-----w C:\Program Files\DVDInfoPro
2007-12-02 12:12 --------- d-----w C:\Documents and Settings\Stephen\Application Data\CopyToDvd
2007-12-02 11:45 --------- d-----w C:\Program Files\DVDlabStudio
2007-11-28 08:58 --------- d-----w C:\Program Files\Easy Graphic Converter
2007-11-28 05:39 --------- d-----w C:\Documents and Settings\Stephen\Application Data\Sony
2007-11-28 05:39 --------- d-----w C:\Documents and Settings\Stephen\Application Data\Publish Providers
2007-11-28 05:21 --------- d-----w C:\Program Files\VSTPlugins
2007-11-28 05:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony
2007-11-28 05:20 --------- d-----w C:\Program Files\Sony Setup
2007-11-28 05:20 --------- d-----w C:\Program Files\Sony
2007-11-25 11:32 35,936 ----a-w C:\WINDOWS\system32\drivers\Pcouffin.sys
2007-11-25 11:32 --------- d-----w C:\Program Files\vso
2007-11-25 04:06 --------- d-----w C:\Documents and Settings\Stephen\Application Data\ArcSoft
2007-11-20 12:16 --------- d-----w C:\Program Files\Abbyy FineReader 6.0 Sprint
2007-11-19 09:17 --------- d-----w C:\Documents and Settings\Alan\Application Data\Sonic
2007-11-18 00:03 --------- d-----w C:\Program Files\MP3Gain
2007-11-15 05:35 --------- d-----w C:\Documents and Settings\Stephen\Application Data\Media Player Classic
2007-11-14 05:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-12 07:27 --------- d-----w C:\Documents and Settings\Stephen\Application Data\GRETECH
2007-11-11 22:44 --------- d-----w C:\Program Files\Real Alternative
2007-11-11 22:44 --------- d-----w C:\Documents and Settings\Alan\Application Data\Media Player Classic
2007-11-11 22:34 --------- d-----w C:\Program Files\GRETECH
2007-11-08 19:38 --------- d-----w C:\Documents and Settings\Ann\Application Data\Grisoft
2007-11-05 07:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 06:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-09-08 04:34 12,413,440 ----a-w C:\Program Files\avgas-setup-7.5.1.43.exe
2007-09-08 04:24 401,720 ----a-w C:\Program Files\Crusty.exe.exe
.

((((((((((((((((((((((((((((( snapshot@2008-01-04_18.49.32.73 )))))))))))))))))))))))))))))))))))))))))
.
+ 2000-08-30 21:00:00 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
- 2007-12-24 14:23:20 54,280 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-01-04 08:20:56 54,280 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-12-24 14:23:20 384,596 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-01-04 08:20:56 384,596 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2006-08-29 00:57 395776]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:54 5674352]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-18 20:07 68856]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-08-16 22:24 167368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-16 11:39 7323648]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 08:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 08:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 08:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 08:00 455168]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 16:03 36975]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 13:20 282624 C:\WINDOWS\stsystra.exe]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 10:15 151552]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 06:12 94208]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 08:20 122940]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 19:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 19:50 81920]
"DLCGCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCGtime.dll" [2005-09-08 01:56 73728]
"dlcgmon.exe"="C:\Program Files\Dell AIO 810\dlcgmon.exe" [2005-10-20 22:42 425984]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 01:47 31016]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 12:09 63712]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 20:25 6731312]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 16:53 88024]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-08-31 12:25 249896]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-05-31 11:07:35]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)
"NoMovingBands"= 0 (0x0)
"NoCloseDragDropBands"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 7.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL 7.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\AOL 7.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Network Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Dell Network Assistant.lnk
backup=C:\WINDOWS\pss\Dell Network Assistant.lnkCommon Startup

S1 vcdrom;Virtual CD-ROM Device Driver;C:\Documents and Settings\Stephen\Desktop\VCdRom.sys []
S3 k600bus;Sony Ericsson 600i driver (WDM);C:\WINDOWS\system32\DRIVERS\k600bus.sys [2005-05-11 22:12]
S3 k600mdfl;Sony Ericsson 600i USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\k600mdfl.sys [2005-05-11 22:12]
S3 k600mdm;Sony Ericsson 600i USB WMC Modem Drivers;C:\WINDOWS\system32\DRIVERS\k600mdm.sys [2005-05-11 22:12]
S3 k600mgmt;Sony Ericsson 600i USB WMC Device Management Drivers;C:\WINDOWS\system32\DRIVERS\k600mgmt.sys [2005-05-11 22:12]
S3 k600obex;Sony Ericsson 600i USB WMC OBEX Interface Drivers;C:\WINDOWS\system32\DRIVERS\k600obex.sys [2005-03-04 20:15]
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2006-06-05 06:39]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{36b02f06-1f96-11dc-b67e-00038a000015}]
\Shell\AutoRun\command - F:\Installer.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-04 20:26:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-04 20:28:55 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-04 09:28:50
ComboFix2.txt 2008-01-04 07:50:10
.
2007-12-25 14:53:06 --- E O F ---

and my Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:35:39 PM, on 4/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell AIO 810\dlcgmon.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\dlcgcoms.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Crusty.exe.exe

R3 - URLSearchHook: Yahoo! μ?o?ì? - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! μ?o?ì? - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlcgmon.exe] "C:\Program Files\Dell AIO 810\dlcgmon.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: ?ì3μ - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: ?ì3μ(FlashGet) - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2279B805-EA3C-4A9B-95D5-A9109CB3F452}: NameServer = 10.0.0.138
O17 - HKLM\System\CS1\Services\Tcpip\..\{2279B805-EA3C-4A9B-95D5-A9109CB3F452}: NameServer = 10.0.0.138
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: dlcg_device - - C:\WINDOWS\system32\dlcgcoms.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 10608 bytes

thanks for helping

#8
miekiemoes

Posted 04 January 2008 - 03:43 AM

Malware Expert

Member
5,503 posts

Hi,

This looks Ok again

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6 Update 3.
Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 3".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation, Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
- Examples of older versions in Add or Remove Programs:
- Java 2 Runtime Environment, SE v1.4.2
- J2SE Runtime Environment 5.0
- J2SE Runtime Environment 5.0 Update 6
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

Edited by miekiemoes, 04 January 2008 - 03:43 AM.

#9
stevfunn

Posted 04 January 2008 - 07:34 AM

Member

Topic Starter
Member
17 posts

Thanks so much for helping me, miekiemoes

Now whenever I turn on my computer there aren't annoying popups or anything.

Everything's working fine..at least for now.

Thanks so much again.

#10
miekiemoes

Posted 04 January 2008 - 07:50 AM

Malware Expert

Member
5,503 posts

Glad I could help.

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

#11
miekiemoes

Posted 08 January 2008 - 10:37 AM

Malware Expert

Member
5,503 posts

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.