Another Virtumonde

P

PhilX

New member
I hope I am correct to post a new thread for this. I am posting from another PC.

SB S&D reports Virtumonde infection, also Windows Defender reported Browser Modifier: Win32/Fotomoto (attempted to remove, said successful but keeps coming back).

Let SB S&D fix the problems and rebooted, still some Virtumonde left, disconnected from internet, rebooted, another SB S&D scan and fix, reboot, SB S&D scan still shows 3 items.

I can identify the times of the infections (I think) by looking at recently created files in Window\system32 and have searched for registry entries as follows...

Search for pfcfbrxt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Name=0c377ca9


Search for obhstkxv.dll
HKEY_CLASSES_ROOT\CLSID\{1a08aa9e-3225-4560-b03b-fe4085ae0052}\InprocServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1a08aa9e-3225-4560-b03b-fe4085ae0052}\I

nprocServer32

Search for above key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1A08AA9E-32

25-4560-B03B-FE4085AE0052}\iexplore

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser

Helper Objects\{1a08aa9e-3225-4560-b03b-fe4085ae0052}

HKEY_USERS\S-1-5-21-3987327456-2122932760-77203996-1006\Software\Microsoft\Windows

\CurrentVersion\Ext\Stats\{1A08AA9E-3225-4560-B03B-FE4085AE0052}\iexplore

Search for rqronki.dll = not found

Search for gebxwxv.dll = not found

Search for txrbfcfp.ini = not found

Search for WLTRAY .exe (name only)

HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache
...C:\WINDOWS\system32\WLTRAY.exe
says is Dell Wireless WLAN Card Wireless Network Tray Applet

Earlier files (sony ericson?)

SYSTEM32...
usnserv.exe
byxxust.dll
ssqrq.dll
qrqss.ini
qrqss.ini2
ssqrq.exe

Would it be a valid approach to delete these registry entries and files? (I'm not intending to do anything yet).

This is the start of SB S&D scan log...

--- Search result list ---
Virtumonde: User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-3987327456-2122932760-77203996-1006\Software\Microsoft\rdfa

Virtumonde: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws

Virtumonde: Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-3987327456-2122932760-77203996-1006\Software\Microsoft\aldd

I have the infected PC disconnected from the internet now so no Kaspersky online scanner.

I hope you will be able to help, Thanks
Phil

Hijackthis log (after SB S&D removals and uninstall of some other s/w).

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:01:20, on 04/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched .exe
C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
C:\Program Files\Dell\QuickSet\quickset .exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Dell\E-Center\EULALauncher.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\usnserv.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe
C:\WINDOWS\system32\WLTRAY .exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.exe
C:\Dell\E-Center\EULALauncher .exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc .exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.BIN
C:\Program Files\Dell Support Center\bin\sprtcmd .exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv .exe
C:\Program Files\Windows Defender\MSASCui .exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://partnerpage.google.com/small...n&client=dell-usuk&channel=uk-smb&ibd=1071219
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://partnerpage.google.com/small...n&client=dell-usuk&channel=uk-smb&ibd=1071219
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/root/MyAccount.asp?affid=105-256&dtag=D5B4C3J&langid=
F3 - REG:win.ini: load=C:\WINDOWS\system32\ssqrq.exe
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset .exe .exe .exe .exe .exe .exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Userfile Sharing Server] usnserv.exe
O4 - HKLM\..\Run: [0c377ca9] rundll32.exe "C:\WINDOWS\system32\pfcfbrxt.dll",b
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.1.lnk = C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?769d74ff525b4fa5b59a103963f7943b
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?769d74ff525b4fa5b59a103963f7943b
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1198543405921
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7085 bytes
 
Hi PhilX and welcome to Safer Networking Forums :)

Rename HijackThis.exe to PhilX.exe and post back a fresh HijackThis log, please.
 
Thanks for your attention

Sorry for taking so long to reply, I was expecting an email when the thread was posted too and so was not checking regularly.

Renamed hijackthis.exe as PhilX.exe and ran again, new log follows.

Also as further info I forgot to mention, when logging in I got a pop-up...

RUNDLL
Error loading C:\windows\system32zssqrq.dll
No such interface supported

Three times

I didn't get them when I started up this time though.

Thanks for your time,

Phil

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:10:58, on 06/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched .exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Dell\E-Center\EULALauncher.exe
C:\WINDOWS\system32\WLTRAY .exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv .exe
C:\Program Files\Dell\QuickSet\quickset .exe
C:\WINDOWS\system32\usnserv.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc .exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Dell\E-Center\EULALauncher .exe
C:\Program Files\Dell Support Center\bin\sprtcmd .exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Windows Defender\MSASCui .exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.BIN
C:\Program Files\Dell\QuickSet\quickset .exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\PhilX.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://partnerpage.google.com/small...n&client=dell-usuk&channel=uk-smb&ibd=1071219
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://partnerpage.google.com/small...n&client=dell-usuk&channel=uk-smb&ibd=1071219
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/root/MyAccount.asp?affid=105-256&dtag=D5B4C3J&langid=
F3 - REG:win.ini: load=C:\WINDOWS\system32\ssqrq.exe
O2 - BHO: {2500ea58-04ef-b30b-0654-5223e9aa80a1} - {1a08aa9e-3225-4560-b03b-fe4085ae0052} - C:\WINDOWS\system32\obhstkxv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6F2B8E88-0A87-4E7C-BC8C-C92CC4F2839B} - C:\WINDOWS\system32\ssqrq.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: (no name) - {E1E1D3A0-66EA-46D2-BBCF-43730668E1EB} - C:\WINDOWS\system32\byxxust.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Userfile Sharing Server] usnserv.exe
O4 - HKLM\..\Run: [0c377ca9] rundll32.exe "C:\WINDOWS\system32\pfcfbrxt.dll",b
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.1.lnk = C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?769d74ff525b4fa5b59a103963f7943b
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?769d74ff525b4fa5b59a103963f7943b
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1198543405921
O20 - Winlogon Notify: byxxust - C:\WINDOWS\SYSTEM32\byxxust.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8232 bytes
 
Hi

You seem to have a file-infecting vundo so we won't install yet antivirus.

1. Download combofix from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Post:

- a fresh HijackThis log
- combofix report
 
ComboFix and new hijackthis logs

Hi Shaba

As already mentioned the infected PC is not connected to the internet, I am transferring via a data stick, I downloaded ComboFix to this PC and copied it onto the desktop of the infected PC, is this OK (not downloaded directly to desktop as instructed)?

The 2 logs follow.

After ComboFix rebooted PC and continued (title = Find3M) I got repeated error pop-ups while before it completed from RUNDLL, first = the ssqrq.dll already mentioned, the rest are "error loading the specified module could not be found", these kept coming while I ran hijackthis again.

Also there is a system tray icon for java update saying a new version of java is ready to install.

ComboFix 08-01-04.1 - Xanthe 2008-01-06 18:48:32.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.483 [GMT 0:00]
Running from: C:\Documents and Settings\Xanthe\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\dell\E-Center\EULALauncher.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe
C:\Program Files\Dell\QuickSet\quickset .exe
C:\Program Files\Dell\QuickSet\quickset .exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\byxxust.dll
C:\WINDOWS\system32\gebxwxv.dll
C:\WINDOWS\system32\obhstkxv.dll
C:\WINDOWS\system32\pfcfbrxt.dll
C:\WINDOWS\system32\qrqss.ini
C:\WINDOWS\system32\qrqss.ini2
C:\WINDOWS\system32\rqronki.dll
C:\WINDOWS\system32\ssqrq.dll
C:\WINDOWS\system32\ssqrq.exe
C:\WINDOWS\system32\txrbfcfp.ini
C:\WINDOWS\system32\WLTRAY.exe

Code: 
 <pre>
"C:\dell\E-Center\EULALauncher .exe" replaces infected copy of "C:\dell\E-Center\EULALauncher.exe"
"C:\Program Files\ATI Technologies\ATI.ACE\CLIStart .exe" replaces infected copy of "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
"C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe" replaces infected copy of "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe"
"C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe" replaces infected copy of "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe"
"C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv .exe" replaces infected copy of "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
"C:\Program Files\Dell Support Center\bin\sprtcmd .exe" replaces infected copy of "C:\Program Files\Dell Support Center\bin\sprtcmd.exe"
"C:\Program Files\Dell Support Center\gs_agent\custom\dsca .exe" replaces infected copy of "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
"C:\Program Files\Java\jre1.5.0_07\bin\jusched .exe" replaces infected copy of "C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe"
"C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc .exe" replaces infected copy of "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
"C:\Program Files\Synaptics\SynTP\SynTPEnh .exe" replaces infected copy of "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
"C:\Program Files\Windows Defender\MSASCui .exe" replaces infected copy of "C:\Program Files\Windows Defender\MSASCui.exe"
"C:\WINDOWS\system32\WLTRAY .exe" replaces infected copy of "C:\WINDOWS\system32\WLTRAY.exe"
</pre>
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2007-12-06 to 2008-01-06 )))))))))))))))))))))))))))))))
.

2008-01-06 18:46 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-05 17:53 . 2007-12-19 02:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InstallShield
2008-01-05 17:53 . 2007-12-19 02:15 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ATI
2008-01-04 13:00 . 2008-01-04 13:00 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-04 01:45 . 2008-01-04 01:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-03 02:25 . 2008-01-03 00:52 72,704 -rahs---- C:\WINDOWS\system32\usnserv.exe
2007-12-30 14:26 . 2007-12-30 14:26 <DIR> d-------- C:\Documents and Settings\Xanthe\Application Data\Leadertech
2007-12-30 14:08 . 2007-12-30 14:08 <DIR> d-------- C:\Documents and Settings\Xanthe\Application Data\AdobeUM
2007-12-30 14:08 . 2007-12-30 14:08 <DIR> d-------- C:\Documents and Settings\Xanthe\Application Data\AdobeAUM
2007-12-30 14:05 . 2007-12-30 14:06 <DIR> d-------- C:\Documents and Settings\Xanthe\Application Data\Teleca
2007-12-30 14:04 . 2007-12-30 14:04 <DIR> d-------- C:\Program Files\Sony Ericsson
2007-12-30 14:04 . 2008-01-04 12:56 <DIR> d-------- C:\Program Files\Common Files\Teleca Shared
2007-12-30 14:02 . 2007-12-30 14:02 6,144 --a------ C:\WINDOWS\system32\drivers\k750cm.sys
2007-12-30 14:02 . 2007-12-30 14:02 5,744 --a------ C:\WINDOWS\system32\drivers\k750wh.sys
2007-12-30 14:01 . 2007-12-30 14:02 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-30 14:01 . 2007-12-30 14:02 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-26 20:53 . 2007-12-26 20:53 <DIR> d-------- C:\Program Files\Windows Live Favorites
2007-12-26 20:14 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-12-26 20:14 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2007-12-26 20:14 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2007-12-26 01:29 . 2008-01-06 18:55 <DIR> d-------- C:\MDT
2007-12-26 01:28 . 2007-12-26 01:28 <DIR> d-------- C:\Documents and Settings\Xanthe\Application Data\CyberLink
2007-12-26 01:28 . 2007-12-26 01:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2007-12-25 20:55 . 2007-12-25 20:55 268 --ah----- C:\sqmdata01.sqm
2007-12-25 20:55 . 2007-12-25 20:55 244 --ah----- C:\sqmnoopt01.sqm
2007-12-25 20:53 . 2007-12-25 20:53 268 --ah----- C:\sqmdata00.sqm
2007-12-25 20:53 . 2007-12-25 20:53 244 --ah----- C:\sqmnoopt00.sqm
2007-12-25 20:36 . 2008-01-06 18:54 <DIR> d-------- C:\Program Files\Windows Defender
2007-12-25 20:31 . 2007-12-25 20:31 <DIR> d-------- C:\Program Files\IZArc
2007-12-25 18:20 . 2007-12-25 18:20 <DIR> d-------- C:\Documents and Settings\Xanthe\Contacts
2007-12-25 17:54 . 2007-12-26 20:53 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2007-12-25 17:54 . 2007-12-25 17:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Windows Live Toolbar
2007-12-25 17:53 . 2007-12-30 14:04 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-12-25 17:53 . 2007-12-25 17:53 <DIR> d-------- C:\Program Files\MSN Messenger
2007-12-25 08:38 . 2008-01-06 18:55 <DIR> d-------- C:\Documents and Settings\Xanthe\Application Data\OpenOffice.org2
2007-12-25 08:37 . 2007-12-25 08:37 <DIR> d-------- C:\Program Files\OpenOffice.org 2.1
2007-12-25 08:14 . 2007-12-25 08:14 <DIR> d-------- C:\Documents and Settings\Xanthe\Application Data\MSNInstaller
2007-12-25 01:07 . 2007-12-25 01:07 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-12-25 01:00 . 2007-07-09 13:09 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-12-25 00:42 . 2007-12-25 00:42 <DIR> d---s---- C:\Documents and Settings\Xanthe\UserData
2007-12-25 00:39 . 2004-08-03 23:08 26,496 --a------ C:\WINDOWS\system32\dllcache\usbstor.sys
2007-12-25 00:38 . 2007-12-25 00:38 4,128 --a------ C:\INFCACHE.1
2007-12-25 00:08 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-12-25 00:08 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\dllcache\mouhid.sys
2007-12-25 00:08 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-12-25 00:08 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\dllcache\hidusb.sys
2007-12-25 00:07 . 2007-12-25 00:07 <DIR> d-------- C:\Documents and Settings\Xanthe\Application Data\Dell
2007-12-25 00:06 . 2007-12-19 02:04 <DIR> d-------- C:\Documents and Settings\Xanthe\Application Data\InstallShield
2007-12-25 00:06 . 2007-12-19 02:15 <DIR> d-------- C:\Documents and Settings\Xanthe\Application Data\ATI
2007-12-25 00:03 . 2007-12-25 00:03 8,192 --a------ C:\WINDOWS\REGLOCS.OLD
2007-12-19 02:15 . 2007-12-19 02:15 61 --a------ C:\WINDOWS\smscfg.ini
2007-12-19 02:12 . 2007-12-19 02:12 <DIR> d-------- C:\Program Files\Microsoft Works
2007-12-19 02:12 . 2007-12-19 02:12 <DIR> d-------- C:\Program Files\Dell Support Center
2007-12-19 02:12 . 2007-12-19 02:12 <DIR> d-------- C:\Program Files\Common Files\supportsoft
2007-12-19 02:12 . 2007-12-19 02:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SupportSoft
2007-12-19 02:08 . 2007-12-25 00:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-12-19 02:07 . 2007-12-19 02:08 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-12-19 02:07 . 2007-12-19 02:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Dell
2007-12-19 02:06 . 2007-12-19 02:06 <DIR> d-------- C:\Program Files\Roxio
2007-12-19 02:06 . 2007-12-19 02:06 <DIR> d-------- C:\Program Files\CyberLink
2007-12-19 02:06 . 2007-12-19 02:06 <DIR> d-------- C:\Program Files\Common Files\SureThing Shared
2007-12-19 02:06 . 2007-12-19 02:06 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared
2007-12-19 02:06 . 2007-12-19 02:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sonic
2007-12-19 02:06 . 2007-12-19 02:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2007-12-19 02:05 . 2007-12-19 02:05 <DIR> d-------- C:\Program Files\NetWaiting
2007-12-19 02:05 . 2007-12-19 02:05 <DIR> d-------- C:\Program Files\Modem Diagnostic Tool
2007-12-19 02:05 . 2007-12-19 02:05 <DIR> d-------- C:\Program Files\Digital Line Detect
2007-12-19 02:05 . 2007-12-19 02:06 <DIR> d-------- C:\Program Files\Common Files\Roxio Shared
2007-12-19 02:05 . 2007-12-19 02:05 <DIR> d-------- C:\Program Files\ATI Technologies
2007-12-19 02:04 . 2007-12-19 02:04 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2007-12-19 02:04 . 2007-12-19 02:06 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2007-12-19 02:04 . 2007-12-19 02:07 <DIR> d-------- C:\Program Files\Dell
2007-12-19 02:04 . 2007-12-19 02:06 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2007-12-19 02:04 . 2007-12-19 02:04 <DIR> d-------- C:\Program Files\Broadcom
2007-12-19 02:03 . 2007-12-19 02:03 <DIR> d-------- C:\Program Files\Sigmatel
2007-12-19 02:03 . 2007-04-23 21:01 4,939,776 --a------ C:\WINDOWS\system32\stacgui.cpl
2007-12-19 02:03 . 2007-04-23 21:01 1,601,536 --a------ C:\WINDOWS\system32\stlang.dll
2007-12-19 02:03 . 2007-04-23 21:01 303,104 --a------ C:\WINDOWS\stsystra.exe
2007-12-19 02:03 . 2004-08-03 22:58 5,376 --a------ C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2007-12-19 02:03 . 2004-08-03 22:58 5,376 --a------ C:\WINDOWS\system32\dllcache\mspclock.sys
2007-12-19 02:02 . 2007-12-19 02:02 <DIR> d-------- C:\Program Files\CONEXANT
2007-12-19 02:02 . 2004-08-04 00:56 130,048 --a------ C:\WINDOWS\system32\ksproxy.ax
2007-12-19 02:02 . 2004-08-04 00:56 130,048 --a------ C:\WINDOWS\system32\dllcache\ksproxy.ax
2007-12-19 02:02 . 2004-08-03 23:08 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2007-12-19 02:02 . 2004-08-03 23:08 60,288 --a------ C:\WINDOWS\system32\dllcache\drmk.sys
2007-12-19 02:02 . 2004-08-04 00:56 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2007-12-19 02:02 . 2004-08-04 00:56 4,096 --a------ C:\WINDOWS\system32\dllcache\ksuser.dll
2007-12-19 02:01 . 2004-08-04 05:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-12-19 02:01 . 2006-03-17 00:38 28,672 --a------ C:\WINDOWS\system32\verclsid.exe
2007-12-19 02:01 . 2005-06-28 10:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-12-19 01:59 . 2007-12-25 08:36 <DIR> d-------- C:\Program Files\Java
2007-12-19 01:59 . 2007-12-19 01:59 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-19 01:59 . 2006-05-03 02:56 49,265 --a------ C:\WINDOWS\system32\jpicpl32.cpl
2007-12-19 01:57 . 2007-12-19 01:57 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-12-19 01:57 . 2007-06-13 10:23 1,033,216 --------- C:\WINDOWS\system32\dllcache\explorer.exe
2007-12-19 01:57 . 2007-05-17 11:28 549,376 --------- C:\WINDOWS\system32\dllcache\oleaut32.dll
2007-12-19 01:57 . 2007-05-30 10:47 81,664 --------- C:\WINDOWS\system32\dllcache\videoprt.sys
2007-12-19 01:57 . 2007-05-03 10:27 78,720 --------- C:\WINDOWS\system32\dllcache\sdbus.sys
2007-12-19 01:57 . 2007-05-03 10:03 12,032 --------- C:\WINDOWS\system32\dllcache\sffdisk.sys
2007-12-19 01:57 . 2007-05-03 10:03 11,008 --------- C:\WINDOWS\system32\dllcache\sffp_sd.sys

.
 
ComboFix continued

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-06 18:55 344,576 ----a-w C:\WINDOWS\system32\ssqrq.dll
2008-01-06 18:44 1,392,640 ----a-w C:\WINDOWS\system32\WLTRAY.exe
2007-11-14 07:26 450,560 ------w C:\WINDOWS\system32\dllcache\jscript.dll
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-30 09:55 3,065,856 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-27 17:39 230,912 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 17:39 230,912 ------w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-27 17:37 2,109,440 ------w C:\WINDOWS\system32\dllcache\wmvcore.dll
2007-10-16 14:16 90,112 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2007-10-16 14:16 6,684,672 ----a-w C:\WINDOWS\system32\atioglx1.dll
2007-10-16 14:16 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2007-10-16 14:16 5,148,672 ----a-w C:\WINDOWS\system32\atioglxx.dll
2007-10-16 14:16 430,080 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2007-10-16 14:16 41,984 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2007-10-16 14:16 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2007-10-16 14:16 303,104 ----a-w C:\WINDOWS\system32\ATIDEMGR.dll
2007-10-16 14:16 294,912 ----a-w C:\WINDOWS\system32\dllcache\ati2cqag.dll
2007-10-16 14:16 294,912 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2007-10-16 14:16 260,608 ----a-w C:\WINDOWS\system32\dllcache\ati2dvag.dll
2007-10-16 14:16 260,608 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2007-10-16 14:16 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2007-10-16 14:16 24,064 ----a-w C:\WINDOWS\system32\ativcoxx.dll
2007-10-16 14:16 221,184 ----a-w C:\WINDOWS\system32\atikvmag.dll
2007-10-16 14:16 2,518,336 ----a-w C:\WINDOWS\system32\dllcache\ati3duag.dll
2007-10-16 14:16 2,518,336 ----a-w C:\WINDOWS\system32\ati3duag.dll
2007-10-16 14:16 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2007-10-16 14:16 118,784 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2007-10-16 14:16 106,496 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2007-10-16 14:16 1,777,152 ----a-w C:\WINDOWS\system32\dllcache\ati2mtag.sys
2007-10-16 14:16 1,092,960 ----a-w C:\WINDOWS\system32\dllcache\ativvaxx.dll
2007-10-16 14:16 1,092,960 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2007-10-11 05:57 96,256 ------w C:\WINDOWS\system32\dllcache\inseng.dll
2007-10-11 05:57 666,112 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-11 05:57 617,984 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-11 05:57 55,808 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-11 05:57 532,480 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-11 05:57 474,112 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-10-11 05:57 449,024 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-11 05:57 39,424 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-10-11 05:57 357,888 ------w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-10-11 05:57 251,904 ------w C:\WINDOWS\system32\dllcache\iepeers.dll
2007-10-11 05:57 205,824 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-11 05:57 16,384 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-11 05:57 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-10-11 05:57 146,432 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-11 05:57 1,498,112 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-10-11 05:57 1,054,208 ------w C:\WINDOWS\system32\dllcache\danim.dll
2007-10-11 05:57 1,024,000 ------w C:\WINDOWS\system32\dllcache\browseui.dll
2007-10-10 10:48 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
.
Code: 
<pre>
----a-w            57,344 2008-01-04 12:54:12  C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy .exe
----a-w            40,048 2008-01-04 00:36:27  C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w         1,259,520 2008-01-06 18:55:52  C:\Program Files\Dell\QuickSet\quickset .exe
----a-w           159,744 2008-01-04 12:51:08  C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2008-01-06 18:55 551936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-06 18:55 1231872]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe" [2008-01-06 18:55 41472]
"SigmatelSysTrayApp"="stsystra.exe" [2007-04-23 21:01 303104 C:\WINDOWS\stsystra.exe]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2008-01-06 18:55 1757184]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset .exe" [2008-01-06 18:55 1259520]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2008-01-06 18:55 141824]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2008-01-06 18:55 251392]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2008-01-06 18:55 88064]
"RoxioDragToDisc"="C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2008-01-06 18:56 1180160]
"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-01-06 18:56 144384]
"ECenter"="C:\Dell\E-Center\EULALauncher.exe" [2008-01-06 18:56 23552]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-01-06 18:56 22016]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2008-01-06 18:56 897024]
"Userfile Sharing Server"="usnserv.exe" [2008-01-03 00:52 72704 C:\WINDOWS\system32\usnserv.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 05:00 15360]

C:\Documents and Settings\Xanthe\Start Menu\Programs\Startup\
OpenOffice.org 2.1.lnk - C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe [2006-11-27 16:45:48]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\\WINDOWS\\system32\\ssqrq

R0 atiide;atiide;C:\WINDOWS\system32\DRIVERS\atiide.sys [2007-05-23 14:07]
R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-11 10:35]
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe /service []

.
Contents of the 'Scheduled Tasks' folder
"2008-01-05 16:08:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-01-06 18:47:08 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-06 18:55:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\qrqss.ini 391 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\ssqrq.dll
.
Completion time: 2008-01-06 18:57:31 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-06 18:57:16
.
2008-01-03 23:50:35 --- E O F ---
 
Hijackthis log after ComboFix

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:00:08, on 06/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Dell\E-Center\EULALauncher.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\usnserv.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Dell\QuickSet\quickset .exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.BIN
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\PhilX.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://partnerpage.google.com/small...n&client=dell-usuk&channel=uk-smb&ibd=1071219
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/root/MyAccount.asp?affid=105-256&dtag=D5B4C3J&langid=
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Userfile Sharing Server] usnserv.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.1.lnk = C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?769d74ff525b4fa5b59a103963f7943b
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?769d74ff525b4fa5b59a103963f7943b
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1198543405921
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 6683 bytes
 
Hi

Yes, that is fine :)

It's very good to keep that computer offline while you're infected.

Open notepad and copy/paste the text in the quotebox below into it:

Code: 
Rootkit::
C:\WINDOWS\system32\qrqss.ini

RenV::
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy .exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
C:\Program Files\Dell\QuickSet\quickset .exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher .exe

File::
C:\WINDOWS\system32\ssqrq.dll
C:\WINDOWS\system32\usnserv.exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Userfile Sharing Server"=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
 
After Combofix run 2

Hi Shaba

Here are the requested logs.

Thanks

Phil

Combofix log part 1

ComboFix 08-01-04.1 - Xanthe 2008-01-07 10:42:02.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.508 [GMT 0:00]
Running from: C:\Documents and Settings\Xanthe\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Xanthe\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\ssqrq.dll
C:\WINDOWS\system32\usnserv.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\dell\E-Center\EULALauncher.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe
C:\Program Files\Dell\QuickSet\quickset .exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\qrqss.ini
C:\WINDOWS\system32\qrqss.ini2
C:\WINDOWS\system32\ssqrq.dll
C:\WINDOWS\system32\ssqrq.exe
C:\WINDOWS\system32\usnserv.exe
C:\WINDOWS\system32\WLTRAY.exe

Code: 
 <pre>
"C:\dell\E-Center\EULALauncher .exe" replaces infected copy of "C:\dell\E-Center\EULALauncher.exe"
"C:\Program Files\ATI Technologies\ATI.ACE\CLIStart .exe" replaces infected copy of "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
"C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe" replaces infected copy of "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe"
"C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe" replaces infected copy of "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe"
"C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv .exe" replaces infected copy of "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
"C:\Program Files\Dell Support Center\bin\sprtcmd .exe" replaces infected copy of "C:\Program Files\Dell Support Center\bin\sprtcmd.exe"
"C:\Program Files\Dell Support Center\gs_agent\custom\dsca .exe" replaces infected copy of "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
"C:\Program Files\Java\jre1.5.0_07\bin\jusched .exe" replaces infected copy of "C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe"
"C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc .exe" replaces infected copy of "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
"C:\Program Files\Synaptics\SynTP\SynTPEnh .exe" replaces infected copy of "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
"C:\Program Files\Windows Defender\MSASCui .exe" replaces infected copy of "C:\Program Files\Windows Defender\MSASCui.exe"
"C:\WINDOWS\system32\WLTRAY .exe" replaces infected copy of "C:\WINDOWS\system32\WLTRAY.exe"
</pre>
.
.
((((((((((((((((((((((((( Files Created from 2007-12-07 to 2008-01-07 )))))))))))))))))))))))))))))))
.

2008-01-07 10:38 . 2008-01-07 10:45 2,101,760 --a------ C:\WINDOWS\system32\WLTRAY.exe
2008-01-06 18:46 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-05 17:53 . 2007-12-19 02:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InstallShield
2008-01-05 17:53 . 2007-12-19 02:15 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ATI
2008-01-04 13:00 . 2008-01-04 13:00 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-04 01:45 . 2008-01-04 01:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-30 14:26 . 2007-12-30 14:26 <DIR> d-------- C:\Documents and Settings\Xanthe\Application Data\Leadertech
2007-12-30 14:08 . 2007-12-30 14:08 <DIR> d-------- C:\Documents and Settings\Xanthe\Application Data\AdobeUM
2007-12-30 14:08 . 2007-12-30 14:08 <DIR> d-------- C:\Documents and Settings\Xanthe\Application Data\AdobeAUM
2007-12-30 14:05 . 2007-12-30 14:06 <DIR> d-------- C:\Documents and Settings\Xanthe\Application Data\Teleca
2007-12-30 14:04 . 2007-12-30 14:04 <DIR> d-------- C:\Program Files\Sony Ericsson
2007-12-30 14:04 . 2008-01-04 12:56 <DIR> d-------- C:\Program Files\Common Files\Teleca Shared
2007-12-30 14:02 . 2007-12-30 14:02 6,144 --a------ C:\WINDOWS\system32\drivers\k750cm.sys
2007-12-30 14:02 . 2007-12-30 14:02 5,744 --a------ C:\WINDOWS\system32\drivers\k750wh.sys
2007-12-30 14:01 . 2007-12-30 14:02 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-30 14:01 . 2007-12-30 14:02 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-26 20:53 . 2007-12-26 20:53 <DIR> d-------- C:\Program Files\Windows Live Favorites
2007-12-26 20:14 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-12-26 20:14 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2007-12-26 20:14 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2007-12-26 01:29 . 2008-01-07 10:45 <DIR> d-------- C:\MDT
2007-12-26 01:28 . 2007-12-26 01:28 <DIR> d-------- C:\Documents and Settings\Xanthe\Application Data\CyberLink
2007-12-26 01:28 . 2007-12-26 01:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2007-12-25 20:55 . 2007-12-25 20:55 268 --ah----- C:\sqmdata01.sqm
2007-12-25 20:55 . 2007-12-25 20:55 244 --ah----- C:\sqmnoopt01.sqm
2007-12-25 20:53 . 2007-12-25 20:53 268 --ah----- C:\sqmdata00.sqm
2007-12-25 20:53 . 2007-12-25 20:53 244 --ah----- C:\sqmnoopt00.sqm
2007-12-25 20:36 . 2008-01-07 10:46 <DIR> d-------- C:\Program Files\Windows Defender
2007-12-25 20:31 . 2007-12-25 20:31 <DIR> d-------- C:\Program Files\IZArc
2007-12-25 18:20 . 2007-12-25 18:20 <DIR> d-------- C:\Documents and Settings\Xanthe\Contacts
2007-12-25 17:54 . 2007-12-26 20:53 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2007-12-25 17:54 . 2007-12-25 17:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Windows Live Toolbar
2007-12-25 17:53 . 2007-12-30 14:04 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-12-25 17:53 . 2007-12-25 17:53 <DIR> d-------- C:\Program Files\MSN Messenger
2007-12-25 08:38 . 2008-01-07 10:45 <DIR> d-------- C:\Documents and Settings\Xanthe\Application Data\OpenOffice.org2
2007-12-25 08:37 . 2007-12-25 08:37 <DIR> d-------- C:\Program Files\OpenOffice.org 2.1
2007-12-25 08:14 . 2007-12-25 08:14 <DIR> d-------- C:\Documents and Settings\Xanthe\Application Data\MSNInstaller
2007-12-25 01:07 . 2007-12-25 01:07 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-12-25 01:00 . 2007-07-09 13:09 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-12-25 00:42 . 2007-12-25 00:42 <DIR> d---s---- C:\Documents and Settings\Xanthe\UserData
2007-12-25 00:39 . 2004-08-03 23:08 26,496 --a------ C:\WINDOWS\system32\dllcache\usbstor.sys
2007-12-25 00:38 . 2007-12-25 00:38 4,128 --a------ C:\INFCACHE.1
2007-12-25 00:08 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-12-25 00:08 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\dllcache\mouhid.sys
2007-12-25 00:08 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-12-25 00:08 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\dllcache\hidusb.sys
2007-12-25 00:07 . 2007-12-25 00:07 <DIR> d-------- C:\Documents and Settings\Xanthe\Application Data\Dell
2007-12-25 00:06 . 2007-12-19 02:04 <DIR> d-------- C:\Documents and Settings\Xanthe\Application Data\InstallShield
2007-12-25 00:06 . 2007-12-19 02:15 <DIR> d-------- C:\Documents and Settings\Xanthe\Application Data\ATI
2007-12-25 00:03 . 2007-12-25 00:03 8,192 --a------ C:\WINDOWS\REGLOCS.OLD
2007-12-19 02:15 . 2007-12-19 02:15 61 --a------ C:\WINDOWS\smscfg.ini
2007-12-19 02:12 . 2007-12-19 02:12 <DIR> d-------- C:\Program Files\Microsoft Works
2007-12-19 02:12 . 2007-12-19 02:12 <DIR> d-------- C:\Program Files\Dell Support Center
2007-12-19 02:12 . 2007-12-19 02:12 <DIR> d-------- C:\Program Files\Common Files\supportsoft
2007-12-19 02:12 . 2007-12-19 02:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SupportSoft
2007-12-19 02:08 . 2007-12-25 00:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-12-19 02:07 . 2007-12-19 02:08 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-12-19 02:07 . 2007-12-19 02:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Dell
2007-12-19 02:06 . 2007-12-19 02:06 <DIR> d-------- C:\Program Files\Roxio
2007-12-19 02:06 . 2007-12-19 02:06 <DIR> d-------- C:\Program Files\CyberLink
2007-12-19 02:06 . 2007-12-19 02:06 <DIR> d-------- C:\Program Files\Common Files\SureThing Shared
2007-12-19 02:06 . 2007-12-19 02:06 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared
2007-12-19 02:06 . 2007-12-19 02:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sonic
2007-12-19 02:06 . 2007-12-19 02:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2007-12-19 02:05 . 2007-12-19 02:05 <DIR> d-------- C:\Program Files\NetWaiting
2007-12-19 02:05 . 2007-12-19 02:05 <DIR> d-------- C:\Program Files\Modem Diagnostic Tool
2007-12-19 02:05 . 2007-12-19 02:05 <DIR> d-------- C:\Program Files\Digital Line Detect
2007-12-19 02:05 . 2007-12-19 02:06 <DIR> d-------- C:\Program Files\Common Files\Roxio Shared
2007-12-19 02:05 . 2007-12-19 02:05 <DIR> d-------- C:\Program Files\ATI Technologies
2007-12-19 02:04 . 2007-12-19 02:04 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2007-12-19 02:04 . 2007-12-19 02:06 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2007-12-19 02:04 . 2007-12-19 02:07 <DIR> d-------- C:\Program Files\Dell
2007-12-19 02:04 . 2007-12-19 02:06 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2007-12-19 02:04 . 2007-12-19 02:04 <DIR> d-------- C:\Program Files\Broadcom
2007-12-19 02:03 . 2007-12-19 02:03 <DIR> d-------- C:\Program Files\Sigmatel
2007-12-19 02:03 . 2007-04-23 21:01 4,939,776 --a------ C:\WINDOWS\system32\stacgui.cpl
2007-12-19 02:03 . 2007-04-23 21:01 1,601,536 --a------ C:\WINDOWS\system32\stlang.dll
2007-12-19 02:03 . 2007-04-23 21:01 303,104 --a------ C:\WINDOWS\stsystra.exe
2007-12-19 02:03 . 2004-08-03 22:58 5,376 --a------ C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2007-12-19 02:03 . 2004-08-03 22:58 5,376 --a------ C:\WINDOWS\system32\dllcache\mspclock.sys
2007-12-19 02:02 . 2007-12-19 02:02 <DIR> d-------- C:\Program Files\CONEXANT
2007-12-19 02:02 . 2004-08-04 00:56 130,048 --a------ C:\WINDOWS\system32\ksproxy.ax
2007-12-19 02:02 . 2004-08-04 00:56 130,048 --a------ C:\WINDOWS\system32\dllcache\ksproxy.ax
2007-12-19 02:02 . 2004-08-03 23:08 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2007-12-19 02:02 . 2004-08-03 23:08 60,288 --a------ C:\WINDOWS\system32\dllcache\drmk.sys
2007-12-19 02:02 . 2004-08-04 00:56 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2007-12-19 02:02 . 2004-08-04 00:56 4,096 --a------ C:\WINDOWS\system32\dllcache\ksuser.dll
2007-12-19 02:01 . 2004-08-04 05:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-12-19 02:01 . 2006-03-17 00:38 28,672 --a------ C:\WINDOWS\system32\verclsid.exe
2007-12-19 02:01 . 2005-06-28 10:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-12-19 01:59 . 2007-12-25 08:36 <DIR> d-------- C:\Program Files\Java
2007-12-19 01:59 . 2007-12-19 01:59 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-19 01:59 . 2006-05-03 02:56 49,265 --a------ C:\WINDOWS\system32\jpicpl32.cpl
2007-12-19 01:57 . 2007-12-19 01:57 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-12-19 01:57 . 2007-06-13 10:23 1,033,216 --------- C:\WINDOWS\system32\dllcache\explorer.exe
2007-12-19 01:57 . 2007-05-17 11:28 549,376 --------- C:\WINDOWS\system32\dllcache\oleaut32.dll
2007-12-19 01:57 . 2007-05-30 10:47 81,664 --------- C:\WINDOWS\system32\dllcache\videoprt.sys
2007-12-19 01:57 . 2007-05-03 10:27 78,720 --------- C:\WINDOWS\system32\dllcache\sdbus.sys
2007-12-19 01:57 . 2007-05-03 10:03 12,032 --------- C:\WINDOWS\system32\dllcache\sffdisk.sys
2007-12-19 01:57 . 2007-05-03 10:03 11,008 --------- C:\WINDOWS\system32\dllcache\sffp_sd.sys
 
ComboFix run 2 continued

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
.
Code: 
<pre>
----a-w         1,604,096 2008-01-07 10:45:46  C:\Program Files\Dell\QuickSet\quickset .exe
----a-w           159,744 2008-01-04 12:51:08  C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher .exe
</pre>


((((((((((((((((((((((((((((( snapshot@2008-01-06_18.57.04.09 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-06 18:49:46 53,838 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-01-07 10:43:44 53,838 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-01-06 18:49:46 382,260 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-01-07 10:43:44 382,260 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2008-01-07 10:45 551936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-07 10:45 1231872]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe" [2008-01-07 10:45 386048]
"SigmatelSysTrayApp"="stsystra.exe" [2007-04-23 21:01 303104 C:\WINDOWS\stsystra.exe]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2008-01-07 10:45 2101760]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset .exe" [2008-01-07 10:45 1604096]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2008-01-07 10:45 486400]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2008-01-07 10:45 595968]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2008-01-07 10:45 432640]
"RoxioDragToDisc"="C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2008-01-07 10:45 1180160]
"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-01-07 10:45 144384]
"ECenter"="C:\Dell\E-Center\EULALauncher.exe" [2008-01-07 10:45 23552]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-01-07 10:45 22016]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2008-01-07 10:46 897024]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 05:00 15360]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]

C:\Documents and Settings\Xanthe\Start Menu\Programs\Startup\
OpenOffice.org 2.1.lnk - C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe [2006-11-27 16:45:48]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\\WINDOWS\\system32\\ssqrq

R0 atiide;atiide;C:\WINDOWS\system32\DRIVERS\atiide.sys [2007-05-23 14:07]
R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-11 10:35]
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe /service []

.
Contents of the 'Scheduled Tasks' folder
"2008-01-06 19:08:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-01-07 10:41:55 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-07 10:45:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\qrqss.ini 391 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\ssqrq.dll
.
Completion time: 2008-01-07 10:47:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-07 10:47:24
ComboFix2.txt 2008-01-06 18:57:31
.
2008-01-03 23:50:35 --- E O F ---
 
Hijackthis log after ComboFix run 2

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:52:55, on 07/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Dell\E-Center\EULALauncher.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.BIN
C:\Program Files\Dell\QuickSet\quickset .exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre1.5.0_07\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\PhilX.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://partnerpage.google.com/small...n&client=dell-usuk&channel=uk-smb&ibd=1071219
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/root/MyAccount.asp?affid=105-256&dtag=D5B4C3J&langid=
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.1.lnk = C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?769d74ff525b4fa5b59a103963f7943b
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?769d74ff525b4fa5b59a103963f7943b
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1198543405921
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 6736 bytes
 
Hi

It looks like that you will need re-install some programs.

I mean at least these:

C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

But as there doesn't seem to be clean copies (combofix restores it automatically if present), we can do nothing about that.

Open notepad and copy/paste the text in the quotebox below into it:

Code: 
Rootkit::
C:\WINDOWS\system32\qrqss.ini 

File::
C:\Program Files\Dell\QuickSet\quickset .exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher .exe
C:\WINDOWS\system32\ssqrq.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell QuickSet"=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
 
Last edited:
ComboFix 3 and new hijackthis logs

Hi Shaba

As far as the reinstall goes that is fine, would it be ok to just copy the "quickset.exe" file from an identical uninfected laptop? or are we losing registry settings as well ?

Here are the logs as requested.

Combofix run 3 part 1

ComboFix 08-01-04.1 - Xanthe 2008-01-07 11:15:59.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.500 [GMT 0:00]
Running from: C:\Documents and Settings\Xanthe\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Xanthe\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Program Files\Dell\QuickSet\quickset .exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher .exe
C:\WINDOWS\system32\ssqrq.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Dell\E-Center\EULALauncher.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe
C:\Program Files\Dell\QuickSet\quickset .exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher .exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\qrqss.ini
C:\WINDOWS\system32\qrqss.ini2
C:\WINDOWS\system32\ssqrq.dll
C:\WINDOWS\system32\ssqrq.exe
C:\WINDOWS\system32\WLTRAY.exe

Code: 
 <pre>
"C:\dell\E-Center\EULALauncher .exe" replaces infected copy of "C:\dell\E-Center\EULALauncher.exe"
"C:\Program Files\ATI Technologies\ATI.ACE\CLIStart .exe" replaces infected copy of "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
"C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe" replaces infected copy of "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe"
"C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe" replaces infected copy of "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe"
"C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv .exe" replaces infected copy of "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
"C:\Program Files\Dell Support Center\bin\sprtcmd .exe" replaces infected copy of "C:\Program Files\Dell Support Center\bin\sprtcmd.exe"
"C:\Program Files\Dell Support Center\gs_agent\custom\dsca .exe" replaces infected copy of "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
"C:\Program Files\Java\jre1.5.0_07\bin\jusched .exe" replaces infected copy of "C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe"
"C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc .exe" replaces infected copy of "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
"C:\Program Files\Synaptics\SynTP\SynTPEnh .exe" replaces infected copy of "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
"C:\Program Files\Windows Defender\MSASCui .exe" replaces infected copy of "C:\Program Files\Windows Defender\MSASCui.exe"
"C:\WINDOWS\system32\WLTRAY .exe" replaces infected copy of "C:\WINDOWS\system32\WLTRAY.exe"
</pre>
.
.
((((((((((((((((((((((((( Files Created from 2007-12-07 to 2008-01-07 )))))))))))))))))))))))))))))))
.

2008-01-07 11:13 . 2008-01-07 11:13 1,392,640 --a------ C:\WINDOWS\system32\WLTRAY.exe
2008-01-06 18:46 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-05 17:53 . 2007-12-19 02:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InstallShield
2008-01-05 17:53 . 2007-12-19 02:15 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ATI
2008-01-04 13:00 . 2008-01-04 13:00 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-04 01:45 . 2008-01-04 01:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-30 14:26 . 2007-12-30 14:26 <DIR> d-------- C:\Documents and Settings\Xanthe\Application Data\Leadertech
2007-12-30 14:08 . 2007-12-30 14:08 <DIR> d-------- C:\Documents and Settings\Xanthe\Application Data\AdobeUM
2007-12-30 14:08 . 2007-12-30 14:08 <DIR> d-------- C:\Documents and Settings\Xanthe\Application Data\AdobeAUM
2007-12-30 14:05 . 2007-12-30 14:06 <DIR> d-------- C:\Documents and Settings\Xanthe\Application Data\Teleca
2007-12-30 14:04 . 2007-12-30 14:04 <DIR> d-------- C:\Program Files\Sony Ericsson
2007-12-30 14:04 . 2008-01-04 12:56 <DIR> d-------- C:\Program Files\Common Files\Teleca Shared
2007-12-30 14:02 . 2007-12-30 14:02 6,144 --a------ C:\WINDOWS\system32\drivers\k750cm.sys
2007-12-30 14:02 . 2007-12-30 14:02 5,744 --a------ C:\WINDOWS\system32\drivers\k750wh.sys
2007-12-30 14:01 . 2007-12-30 14:02 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-30 14:01 . 2007-12-30 14:02 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-26 20:53 . 2007-12-26 20:53 <DIR> d-------- C:\Program Files\Windows Live Favorites
2007-12-26 20:14 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-12-26 20:14 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2007-12-26 20:14 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2007-12-26 01:29 . 2008-01-07 11:19 <DIR> d-------- C:\MDT
2007-12-26 01:28 . 2007-12-26 01:28 <DIR> d-------- C:\Documents and Settings\Xanthe\Application Data\CyberLink
2007-12-26 01:28 . 2007-12-26 01:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2007-12-25 20:55 . 2007-12-25 20:55 268 --ah----- C:\sqmdata01.sqm
2007-12-25 20:55 . 2007-12-25 20:55 244 --ah----- C:\sqmnoopt01.sqm
2007-12-25 20:53 . 2007-12-25 20:53 268 --ah----- C:\sqmdata00.sqm
2007-12-25 20:53 . 2007-12-25 20:53 244 --ah----- C:\sqmnoopt00.sqm
2007-12-25 20:36 . 2008-01-07 11:18 <DIR> d-------- C:\Program Files\Windows Defender
2007-12-25 20:31 . 2007-12-25 20:31 <DIR> d-------- C:\Program Files\IZArc
2007-12-25 18:20 . 2007-12-25 18:20 <DIR> d-------- C:\Documents and Settings\Xanthe\Contacts
2007-12-25 17:54 . 2007-12-26 20:53 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2007-12-25 17:54 . 2007-12-25 17:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Windows Live Toolbar
2007-12-25 17:53 . 2007-12-30 14:04 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-12-25 17:53 . 2007-12-25 17:53 <DIR> d-------- C:\Program Files\MSN Messenger
2007-12-25 08:38 . 2008-01-07 11:19 <DIR> d-------- C:\Documents and Settings\Xanthe\Application Data\OpenOffice.org2
2007-12-25 08:37 . 2007-12-25 08:37 <DIR> d-------- C:\Program Files\OpenOffice.org 2.1
2007-12-25 08:14 . 2007-12-25 08:14 <DIR> d-------- C:\Documents and Settings\Xanthe\Application Data\MSNInstaller
2007-12-25 01:07 . 2007-12-25 01:07 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-12-25 01:00 . 2007-07-09 13:09 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-12-25 00:42 . 2007-12-25 00:42 <DIR> d---s---- C:\Documents and Settings\Xanthe\UserData
2007-12-25 00:39 . 2004-08-03 23:08 26,496 --a------ C:\WINDOWS\system32\dllcache\usbstor.sys
2007-12-25 00:38 . 2007-12-25 00:38 4,128 --a------ C:\INFCACHE.1
2007-12-25 00:08 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-12-25 00:08 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\dllcache\mouhid.sys
2007-12-25 00:08 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-12-25 00:08 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\dllcache\hidusb.sys
2007-12-25 00:07 . 2007-12-25 00:07 <DIR> d-------- C:\Documents and Settings\Xanthe\Application Data\Dell
2007-12-25 00:06 . 2007-12-19 02:04 <DIR> d-------- C:\Documents and Settings\Xanthe\Application Data\InstallShield
2007-12-25 00:06 . 2007-12-19 02:15 <DIR> d-------- C:\Documents and Settings\Xanthe\Application Data\ATI
2007-12-25 00:03 . 2007-12-25 00:03 8,192 --a------ C:\WINDOWS\REGLOCS.OLD
2007-12-19 02:15 . 2007-12-19 02:15 61 --a------ C:\WINDOWS\smscfg.ini
2007-12-19 02:12 . 2007-12-19 02:12 <DIR> d-------- C:\Program Files\Microsoft Works
2007-12-19 02:12 . 2007-12-19 02:12 <DIR> d-------- C:\Program Files\Dell Support Center
2007-12-19 02:12 . 2007-12-19 02:12 <DIR> d-------- C:\Program Files\Common Files\supportsoft
2007-12-19 02:12 . 2007-12-19 02:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SupportSoft
2007-12-19 02:08 . 2007-12-25 00:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-12-19 02:07 . 2007-12-19 02:08 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-12-19 02:07 . 2007-12-19 02:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Dell
2007-12-19 02:06 . 2007-12-19 02:06 <DIR> d-------- C:\Program Files\Roxio
2007-12-19 02:06 . 2007-12-19 02:06 <DIR> d-------- C:\Program Files\CyberLink
2007-12-19 02:06 . 2007-12-19 02:06 <DIR> d-------- C:\Program Files\Common Files\SureThing Shared
2007-12-19 02:06 . 2007-12-19 02:06 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared
2007-12-19 02:06 . 2007-12-19 02:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sonic
2007-12-19 02:06 . 2007-12-19 02:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2007-12-19 02:05 . 2007-12-19 02:05 <DIR> d-------- C:\Program Files\NetWaiting
2007-12-19 02:05 . 2007-12-19 02:05 <DIR> d-------- C:\Program Files\Modem Diagnostic Tool
2007-12-19 02:05 . 2007-12-19 02:05 <DIR> d-------- C:\Program Files\Digital Line Detect
2007-12-19 02:05 . 2007-12-19 02:06 <DIR> d-------- C:\Program Files\Common Files\Roxio Shared
2007-12-19 02:05 . 2007-12-19 02:05 <DIR> d-------- C:\Program Files\ATI Technologies
2007-12-19 02:04 . 2007-12-19 02:04 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2007-12-19 02:04 . 2007-12-19 02:06 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2007-12-19 02:04 . 2007-12-19 02:07 <DIR> d-------- C:\Program Files\Dell
2007-12-19 02:04 . 2007-12-19 02:06 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2007-12-19 02:04 . 2007-12-19 02:04 <DIR> d-------- C:\Program Files\Broadcom
2007-12-19 02:03 . 2007-12-19 02:03 <DIR> d-------- C:\Program Files\Sigmatel
2007-12-19 02:03 . 2007-04-23 21:01 4,939,776 --a------ C:\WINDOWS\system32\stacgui.cpl
2007-12-19 02:03 . 2007-04-23 21:01 1,601,536 --a------ C:\WINDOWS\system32\stlang.dll
2007-12-19 02:03 . 2007-04-23 21:01 303,104 --a------ C:\WINDOWS\stsystra.exe
2007-12-19 02:03 . 2004-08-03 22:58 5,376 --a------ C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2007-12-19 02:03 . 2004-08-03 22:58 5,376 --a------ C:\WINDOWS\system32\dllcache\mspclock.sys
2007-12-19 02:02 . 2007-12-19 02:02 <DIR> d-------- C:\Program Files\CONEXANT
2007-12-19 02:02 . 2004-08-04 00:56 130,048 --a------ C:\WINDOWS\system32\ksproxy.ax
2007-12-19 02:02 . 2004-08-04 00:56 130,048 --a------ C:\WINDOWS\system32\dllcache\ksproxy.ax
2007-12-19 02:02 . 2004-08-03 23:08 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2007-12-19 02:02 . 2004-08-03 23:08 60,288 --a------ C:\WINDOWS\system32\dllcache\drmk.sys
2007-12-19 02:02 . 2004-08-04 00:56 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2007-12-19 02:02 . 2004-08-04 00:56 4,096 --a------ C:\WINDOWS\system32\dllcache\ksuser.dll
2007-12-19 02:01 . 2004-08-04 05:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-12-19 02:01 . 2006-03-17 00:38 28,672 --a------ C:\WINDOWS\system32\verclsid.exe
2007-12-19 02:01 . 2005-06-28 10:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-12-19 01:59 . 2007-12-25 08:36 <DIR> d-------- C:\Program Files\Java
2007-12-19 01:59 . 2007-12-19 01:59 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-19 01:59 . 2006-05-03 02:56 49,265 --a------ C:\WINDOWS\system32\jpicpl32.cpl
2007-12-19 01:57 . 2007-12-19 01:57 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-12-19 01:57 . 2007-06-13 10:23 1,033,216 --------- C:\WINDOWS\system32\dllcache\explorer.exe
2007-12-19 01:57 . 2007-05-17 11:28 549,376 --------- C:\WINDOWS\system32\dllcache\oleaut32.dll
2007-12-19 01:57 . 2007-05-30 10:47 81,664 --------- C:\WINDOWS\system32\dllcache\videoprt.sys
2007-12-19 01:57 . 2007-05-03 10:27 78,720 --------- C:\WINDOWS\system32\dllcache\sdbus.sys
2007-12-19 01:57 . 2007-05-03 10:03 12,032 --------- C:\WINDOWS\system32\dllcache\sffdisk.sys
2007-12-19 01:57 . 2007-05-03 10:03 11,008 --------- C:\WINDOWS\system32\dllcache\sffp_sd.sys

.
 
ComboFix run 3 continued

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
.

((((((((((((((((((((((((((((( snapshot@2008-01-06_18.57.04.09 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-06 18:49:46 53,838 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-01-07 10:49:25 53,838 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-01-06 18:49:46 382,260 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-01-07 10:49:25 382,260 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2008-01-07 11:13 202544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-07 11:13 851968]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe" [2008-01-07 11:13 36975]
"SigmatelSysTrayApp"="stsystra.exe" [2007-04-23 21:01 303104 C:\WINDOWS\stsystra.exe]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2008-01-07 11:13 1392640]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2008-01-07 11:13 90112]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2008-01-07 11:13 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2008-01-07 11:13 81920]
"RoxioDragToDisc"="C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2008-01-07 11:13 1116920]
"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-01-07 11:13 118784]
"ECenter"="C:\Dell\E-Center\EULALauncher.exe" [2008-01-07 11:13 17920]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-01-07 11:13 16384]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2008-01-07 11:13 866584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 05:00 15360]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]

C:\Documents and Settings\Xanthe\Start Menu\Programs\Startup\
OpenOffice.org 2.1.lnk - C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe [2006-11-27 16:45:48]

R0 atiide;atiide;C:\WINDOWS\system32\DRIVERS\atiide.sys [2007-05-23 14:07]
R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-11 10:35]
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe /service []

.
Contents of the 'Scheduled Tasks' folder
"2008-01-06 19:08:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-01-07 11:16:56 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-07 11:19:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\X6DKRY5CJQX4BIOV

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2008-01-07 11:21:02 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-07 11:20:47
ComboFix2.txt 2008-01-07 10:47:32
ComboFix3.txt 2008-01-06 18:57:31
.
2008-01-03 23:50:35 --- E O F ---
 
Hijackthis log after ComboFix run 3

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:21:58, on 07/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Dell\E-Center\EULALauncher.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.BIN
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\PhilX.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://partnerpage.google.com/small...n&client=dell-usuk&channel=uk-smb&ibd=1071219
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/root/MyAccount.asp?affid=105-256&dtag=D5B4C3J&langid=
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.1.lnk = C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?769d74ff525b4fa5b59a103963f7943b
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?769d74ff525b4fa5b59a103963f7943b
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1198543405921
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 6481 bytes
 
Hi

"As far as the reinstall goes that is fine, would it be ok to just copy the "quickset.exe" file from an identical uninfected laptop? or are we losing registry settings as well ?"

If versions are the same, then yes.

Problem is that I removed quickset from starting with windows in order to stop reinfection.

So after you copied that file from another computer to that one you need to do this:

First we'll need to backup registry:

Start -> Run -> regedit -> ok. Then File -> Export. Give it a name and press Save.

Save text below as fix.reg on Notepad (save it as all files (*.*)) on Desktop

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe"

It should look like this ->
reg.gif


Doubleclick fix.reg, press Yes and ok.

(In case you are unsure how to create a reg file, take a look here with screenshots.)

Reboot.

After that, you will need to allow that pc to access internet again in order to install antivirus:

Looking over your log, it seems you don't have any evidence of an anti-virus software.

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:

1) Antivir PersonalEdition Classic - Free anti-virus software for Windows. Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition - Free edition of the AVG anti-virus program for Windows.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.

Remember to check that windows own firewall is on, too.

After those steps, please post back a fresh HijackThis log :)
 
Follow up actions

Hi Shaba

1. I can not get hold of "quickset.exe" right now as my other daughter has put a password on her laptop and is at school, I can deal with that later or reinstall from the Dell utilities disc supplied with the PC.

2. re anti-virus, yes my fault, I was busy, daughter pestering to use the new laptop, hadn't finished setting it up. I will install AVG free.

3 I also intend to follow recommendations from these forums and install SpywareBlaster and SpywareGuard (SBS&D already installed). I use Firefox everywhere else and will install it on the infected laptop as well, do the same recommendations still apply?

4 Firewall, until recently I have been using Zone Alarm, in December I bought a Netgear Wireless Router so that these new laptops could access the internet. I found that I could not get the router to work properly with Zone Alarm (free) no matter what (router IPs in trusted zone, trusted zone off, etc), I could get a connection but some communications between router and PC where still being blocked and the router could not see the PC name (no file sharing etc). The router has a SPI and NAT filewall, do I still need a personal firewall? Any suggestions? I realise this is off topic so if you can't help thats fine.

As I said I havn't done any of the regedit stuff right now, I have restarted the laptop and done another hijackthis, I don't know if you wanted this now but log follows.

Thanks again

Phil


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:55:33, on 07/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Dell\E-Center\EULALauncher.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.BIN
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre1.5.0_07\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\PhilX.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://partnerpage.google.com/small...n&client=dell-usuk&channel=uk-smb&ibd=1071219
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/root/MyAccount.asp?affid=105-256&dtag=D5B4C3J&langid=
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.1.lnk = C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?769d74ff525b4fa5b59a103963f7943b
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?769d74ff525b4fa5b59a103963f7943b
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1198543405921
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 6499 bytes
 
Hi

1. That is fine :)

2. Good.

3. You can wait for those installations until you're clean :)

4. "The router has a SPI and NAT filewall, do I still need a personal firewall?"

Not 100%. I also recommend to install 3rd party software firewall just only after you're clean. I give my suggestions a bit later.
 
Whos next?

Hi

Am I waiting for you to post again? or are you waiting for something from me?

If you are waiting for me please clarify what I should do next.

Please don't take this as me trying to hurry you up.

Phil
 
Hi

Please post back a fresh HijackThis after you have installed AVG free and moved from laptop that file to that computer & run that .reg file, no hurry :)
 
You must log in or register to reply here.
Back
Top