Multiple malware/viruses; need help

**nurdogg** · 2007-10-26, 09:26

I tried doing the Kapersky Online Scanner, but while scanning the browser window would turn into a pop-up ad before it finished. Here is my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:09:10 AM, on 10/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\WINDOWS\winshow.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Words\Words.exe
C:\Program Files\ISM2\ISMPack7.exe
C:\Program Files\ISM\ISMModule8.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PccGuide.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = actsvr.comcastonline.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: Calorie-Count.com Toolbar - {B7D3E479-CC68-42B5-A338-938ECE35F419} - C:\Program Files\Calorie-Count.com Toolbar\toolbar.dll (file missing)
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark 1200 Series] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [winshow] "C:\WINDOWS\winshow.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.5\webbuying.exe
O4 - HKCU\..\Run: [Words] C:\Program Files\Words\Words.exe
O4 - HKCU\..\Run: [ISMPack7] "C:\Program Files\ISM2\ISMPack7.exe"
O4 - HKCU\..\Run: [ISMModule8] "C:\Program Files\ISM\ISMModule8.exe"
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\lmdsrngs.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Calorie-Count.com Toolbar - {B7D3E479-CC68-42B5-A338-938ECE35F419} - C:\Program Files\Calorie-Count.com Toolbar\toolbar.dll (file missing)
O9 - Extra 'Tools' menuitem: Calorie-Count.com Toolbar - {B7D3E479-CC68-42B5-A338-938ECE35F419} - C:\Program Files\Calorie-Count.com Toolbar\toolbar.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase2895.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1187559518296
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9712 bytes

**ken545** · 2007-10-26, 15:09

Hello nurdogg
Welcome to Safer Networking.

Please read Before You Post
All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.

Go to your Add Remove Programs in the Control Panel and uninstall both these programs if they will let you, these are considered unsafe to run on your system.

C:\Program Files\Calorie-Count
C:\Program Files\Web Buying

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

I need to see the Combofix log and a New HJT log please

**nurdogg** · 2007-10-27, 04:07

Hi Ken545,

Thanks for your help. I couldn't remove either program, Web Buying or Calorie Counter. Web Buying didn't show up in add/remove programs and when I tried to remove Calorie Counter nothing happened.

Here are the requested logs:

ComboFix 07-10-23.2 - Nuri Mathieu 2007-10-26 18:08:30.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.458 [GMT -7:00]
Running from: C:\Documents and Settings\Nuri Mathieu\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\DOCUME~1\NURIMA~1\STARTM~1\Programs\Startup\TA_Start.lnk
C:\Documents and Settings\Christine Wuthrich\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Nuri Mathieu\Start Menu\Programs\Startup\TA_Start.lnk
C:\Program Files\Common Files\hoke83122.dll
C:\Program Files\ISM
C:\Program Files\ISM\BndDrive7.dll
C:\Program Files\ISM\bndloader.exe
C:\Program Files\ISM\dictionary.gz
C:\Program Files\ISM\ism.exe
C:\Program Files\ISM\ISMModule8.exe
C:\Program Files\ISM\targets.gz
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\ISM2
C:\Program Files\ISM2\dictionary.gz
C:\Program Files\ISM2\ISMPack7.exe
C:\Program Files\ISM2\targets.gz
C:\Program Files\mbols~1
C:\Program Files\mbols~1\??mbols\
C:\Program Files\mcroso~1
C:\Program Files\Temporary
C:\Program Files\Words
C:\Program Files\Words\list.txt
C:\Program Files\Words\script.txt
C:\Program Files\Words\UnInstall.exe
C:\Program Files\Words\Words.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fCOe
C:\Temp\fCOe\tOasF.log
C:\Temp\fse
C:\WINDOWS\b111.exe
C:\WINDOWS\b143.exe
C:\WINDOWS\b148.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\awtst.dll
C:\WINDOWS\system32\awvts.dll
C:\WINDOWS\system32\awvtt.dll
C:\WINDOWS\system32\awvvw.dll
C:\WINDOWS\system32\ddabb.dll
C:\WINDOWS\system32\ddccc.dll
C:\WINDOWS\system32\ddccd.dll
C:\WINDOWS\system32\ddcyx.dll
C:\WINDOWS\system32\dgjlm.bak1
C:\WINDOWS\system32\dgjlm.bak2
C:\WINDOWS\system32\dgjlm.ini
C:\WINDOWS\system32\edclckmh.dll
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\gebcy.dll
C:\WINDOWS\system32\gebya.dll
C:\WINDOWS\system32\gebyy.dll
C:\WINDOWS\system32\geeda.dll
C:\WINDOWS\system32\jkhfc.dll
C:\WINDOWS\system32\jkhfe.dll
C:\WINDOWS\system32\jkhhh.dll
C:\WINDOWS\system32\jkhhi.dll
C:\WINDOWS\system32\jkklk.dll
C:\WINDOWS\system32\jkkll.dll
C:\WINDOWS\system32\mljgd.dll
C:\WINDOWS\system32\mljjj.dll
C:\WINDOWS\system32\mljjk.dll
C:\WINDOWS\system32\mlljk.dll
C:\WINDOWS\system32\mllml.dll
C:\WINDOWS\system32\oTt08e
C:\WINDOWS\system32\oTt08e\oTt08e1099.exe
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pmkhe.dll
C:\WINDOWS\system32\pmkhi.dll
C:\WINDOWS\system32\pmkjh.dll
C:\WINDOWS\system32\pmkjk.dll
C:\WINDOWS\system32\pmnli.dll
C:\WINDOWS\system32\pmnlj.dll
C:\WINDOWS\system32\ssqpq.dll
C:\WINDOWS\system32\ssqrr.dll
C:\WINDOWS\system32\sstqo.dll
C:\WINDOWS\system32\ssttq.dll
C:\WINDOWS\system32\ssttt.dll
C:\WINDOWS\system32\urqpmji.dll
C:\WINDOWS\system32\vtsqp.dll
C:\WINDOWS\system32\vtsqr.dll
C:\WINDOWS\system32\vtstq.dll
C:\WINDOWS\system32\vtstu.dll
C:\WINDOWS\system32\vturr.dll
C:\WINDOWS\system32\vturs.dll
C:\WINDOWS\system32\wintsvsu.exe
C:\WINDOWS\winshow.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE

((((((((((((((((((((((((( Files Created from 2007-09-27 to 2007-10-27 )))))))))))))))))))))))))))))))
.

2007-10-26 17:55 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-26 08:44 85,056 --a------ C:\WINDOWS\system32\hliieqhl.dll
2007-10-25 21:08 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-25 15:02 5,369 --a------ C:\WINDOWS\system32\awtsr.dll
2007-10-25 11:02 5,369 --a------ C:\WINDOWS\system32\pmkhh.dll
2007-10-25 10:02 5,369 --a------ C:\WINDOWS\system32\pmkhg.dll
2007-10-25 08:02 5,369 --a------ C:\WINDOWS\system32\ddayv.dll
2007-10-25 04:02 5,369 --a------ C:\WINDOWS\system32\mljge.dll
2007-10-25 01:02 5,369 --a------ C:\WINDOWS\system32\mljgg.dll
2007-10-25 00:02 5,369 --a------ C:\WINDOWS\system32\mljgf.dll
2007-10-24 23:02 5,369 --a------ C:\WINDOWS\system32\ssqro.dll
2007-10-24 22:02 5,369 --a------ C:\WINDOWS\system32\pmnlk.dll
2007-10-24 17:02 5,369 --a------ C:\WINDOWS\system32\ddabx.dll
2007-10-24 13:01 5,369 --a------ C:\WINDOWS\system32\vtsqo.dll
2007-10-24 11:01 5,369 --a------ C:\WINDOWS\system32\sstqr.dll
2007-10-24 10:01 5,369 --a------ C:\WINDOWS\system32\mljjh.dll
2007-10-24 08:01 5,369 --a------ C:\WINDOWS\system32\pmnnn.dll
2007-10-24 07:01 5,369 --a------ C:\WINDOWS\system32\ssqpm.dll
2007-10-24 06:01 5,369 --a------ C:\WINDOWS\system32\mlljj.dll
2007-10-24 00:01 5,369 --a------ C:\WINDOWS\system32\vtutu.dll
2007-10-23 20:48 5,369 --a------ C:\WINDOWS\system32\pmnnk.dll
2007-10-23 17:18 5,369 --a------ C:\WINDOWS\system32\mljgh.dll
2007-10-23 16:18 5,369 --a------ C:\WINDOWS\system32\mllmj.dll
2007-10-23 02:27 5,369 --a------ C:\WINDOWS\system32\jkhfg.dll
2007-10-23 00:27 5,369 --a------ C:\WINDOWS\system32\pmnnm.dll
2007-10-22 20:50 5,369 --a------ C:\WINDOWS\system32\geedc.dll
2007-10-22 12:31 5,369 --a------ C:\WINDOWS\system32\geede.dll
2007-10-22 06:12 5,369 --a------ C:\WINDOWS\system32\ssqrp.dll
2007-10-22 04:12 5,369 --a------ C:\WINDOWS\system32\jkkjk.dll
2007-10-21 19:21 5,369 --a------ C:\WINDOWS\system32\jkhfd.dll
2007-10-21 18:21 5,369 --a------ C:\WINDOWS\system32\ddcyv.dll
2007-10-21 15:21 5,369 --a------ C:\WINDOWS\system32\sstts.dll
2007-10-20 16:26 5,369 --a------ C:\WINDOWS\system32\sstqn.dll
2007-10-20 11:01 5,369 --a------ C:\WINDOWS\system32\vtstr.dll
2007-10-19 22:35 5,369 --a------ C:\WINDOWS\system32\vtutr.dll
2007-10-19 19:35 5,369 --a------ C:\WINDOWS\system32\ddabc.dll
2007-10-18 22:58 5,369 --a------ C:\WINDOWS\system32\awtsq.dll
2007-10-18 20:58 5,369 --a------ C:\WINDOWS\system32\geedd.dll
2007-10-18 19:58 5,369 --a------ C:\WINDOWS\system32\vtstt.dll
2007-10-18 17:58 5,369 --a------ C:\WINDOWS\system32\mlljg.dll
2007-10-18 16:58 5,369 --a------ C:\WINDOWS\system32\awtqr.dll
2007-10-18 10:05 5,369 --a------ C:\WINDOWS\system32\vturo.dll
2007-10-17 17:09 <DIR> d-------- C:\WINDOWS\system32\pod2
2007-10-17 17:09 <DIR> d-------- C:\WINDOWS\system32\cap1
2007-10-17 17:09 <DIR> d-------- C:\WINDOWS\system32\bib1
2007-10-17 17:09 <DIR> d-------- C:\WINDOWS\system32\bco2
2007-10-12 17:25 <DIR> d-------- C:\Program Files\Calorie-Count.com Toolbar
2007-10-09 18:34 582,656 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-26 06:06 --------- d-----w C:\Program Files\Trend Micro
2007-10-24 05:55 --------- d-----w C:\Program Files\Google
2007-10-24 05:53 --------- d-----w C:\Program Files\Yahoo!
2007-10-20 22:46 --------- d-----w C:\Program Files\Windows Live Safety Center
2007-10-08 18:41 --------- d-----w C:\Program Files\Picasa2
2007-09-26 03:59 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2007-09-15 17:50 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Corel
2007-09-08 23:48 --------- d-----w C:\Program Files\Lavasoft
2007-09-08 21:07 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-09-08 19:22 --------- d-----w C:\Program Files\CCleaner
2007-09-08 18:40 --------- d-----w C:\Program Files\Free Offers from Freeze.com
2007-07-23 22:27 60,968 ----a-w C:\DOCUME~1\Nuri Mathieu\GoToAssistDownloadHelper.exe
2007-07-23 22:13 60,968 ----a-w C:\DOCUME~1\Administrator\GoToAssistDownloadHelper.exe
2006-09-14 07:09 81,920 ----a-w C:\Documents and Settings\Nuri Mathieu\Application Data\ezpinst.exe
2006-09-14 07:09 81,920 ----a-w C:\DOCUME~1\NURIMA~1\APPLIC~1\ezpinst.exe
2006-09-14 07:09 47,360 ----a-w C:\Documents and Settings\Nuri Mathieu\Application Data\pcouffin.sys
2006-09-14 07:09 47,360 ----a-w C:\DOCUME~1\NURIMA~1\APPLIC~1\pcouffin.sys
2006-07-29 02:02:39 88 -csh--r C:\WINDOWS\system32\2107AEBFDA.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6e909b1b-412f-4d35-83e6-8049ff5785c7}]
C:\WINDOWS\system32\fnaiqlp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8EDD2AF5-1AFA-4008-934B-0A933EB4C7FF}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [2007-03-07 10:58]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 02:56]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 15:48]
"SigmatelSysTrayApp"="stsystra.exe" [2005-09-09 21:19 C:\WINDOWS\stsystra.exe]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-04-15 05:58]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"Lexmark 1200 Series"="C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe" [2006-03-16 00:07]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 08:44]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 08:44]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 12:59]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 18:49]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 18:50]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 18:46]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 12:01]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2006-05-03 03:12]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 03:20]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-12-15 08:44]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 15:53]
"c0ae0922"="C:\WINDOWS\system32\hliieqhl.dll" [2007-10-26 08:44]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 03:00]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [2006-08-04 16:15]
"ISMPack7"="C:\Program Files\ISM2\ISMPack7.exe" []
"ISMModule8"="C:\Program Files\ISM\ISMModule8.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebbcya]
gebbcya.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 14:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

S3 USA19H;USA19H;C:\WINDOWS\system32\DRIVERS\USA19H2k.sys
S3 USA19H2KP;Keyspan USB Serial Port Driver;C:\WINDOWS\system32\DRIVERS\USA19H2kp.SYS

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command

.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-26 18:54:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-26 18:56:37 - machine was rebooted
.
--- E O F ---

**nurdogg** · 2007-10-27, 04:08

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:58:03 PM, on 10/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PccGuide.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = actsvr.comcastonline.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {6e909b1b-412f-4d35-83e6-8049ff5785c7} - C:\WINDOWS\system32\fnaiqlp.dll (file missing)
O2 - BHO: (no name) - {8EDD2AF5-1AFA-4008-934B-0A933EB4C7FF} - (no file)
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark 1200 Series] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [c0ae0922] rundll32.exe "C:\WINDOWS\system32\hliieqhl.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ISMPack7] "C:\Program Files\ISM2\ISMPack7.exe"
O4 - HKCU\..\Run: [ISMModule8] "C:\Program Files\ISM\ISMModule8.exe"
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Calorie-Count.com Toolbar - {B7D3E479-CC68-42B5-A338-938ECE35F419} - (no file)
O9 - Extra 'Tools' menuitem: Calorie-Count.com Toolbar - {B7D3E479-CC68-42B5-A338-938ECE35F419} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase2895.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1187559518296
O20 - Winlogon Notify: gebbcya - gebbcya.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9711 bytes

**ken545** · 2007-10-27, 04:50

Do this please.

Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad

File::
C:\WINDOWS\system32\awtsr.dll
C:\WINDOWS\system32\pmkhh.dll
C:\WINDOWS\system32\pmkhg.dll
C:\WINDOWS\system32\ddayv.dll
C:\WINDOWS\system32\mljge.dll
C:\WINDOWS\system32\mljgg.dll
C:\WINDOWS\system32\mljgf.dll
C:\WINDOWS\system32\ssqro.dll
C:\WINDOWS\system32\pmnlk.dll
C:\WINDOWS\system32\ddabx.dll
C:\WINDOWS\system32\vtsqo.dll
C:\WINDOWS\system32\sstqr.dll
C:\WINDOWS\system32\mljjh.dll
C:\WINDOWS\system32\pmnnn.dll
C:\WINDOWS\system32\ssqpm.dll
C:\WINDOWS\system32\mlljj.dll
C:\WINDOWS\system32\vtutu.dll
C:\WINDOWS\system32\pmnnk.dll
C:\WINDOWS\system32\mljgh.dll
C:\WINDOWS\system32\mllmj.dll
C:\WINDOWS\system32\jkhfg.dll
C:\WINDOWS\system32\pmnnm.dll
C:\WINDOWS\system32\geedc.dll
C:\WINDOWS\system32\geede.dll
C:\WINDOWS\system32\ssqrp.dll
C:\WINDOWS\system32\jkkjk.dll
C:\WINDOWS\system32\jkhfd.dll
C:\WINDOWS\system32\ddcyv.dll
C:\WINDOWS\system32\sstts.dll
C:\WINDOWS\system32\sstqn.dll
C:\WINDOWS\system32\vtstr.dll
C:\WINDOWS\system32\vtutr.dll
C:\WINDOWS\system32\ddabc.dll
C:\WINDOWS\system32\awtsq.dll
C:\WINDOWS\system32\geedd.dll
C:\WINDOWS\system32\vtstt.dll
C:\WINDOWS\system32\mlljg.dll
C:\WINDOWS\system32\awtqr.dll
C:\WINDOWS\system32\vturo.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6e909b1b-412f-4d35-83e6-8049ff5785c7}]
C:\WINDOWS\system32\fnaiqlp.dll

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8EDD2AF5-1AFA-4008-934B-0A933EB4C7FF}]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebbcya]
gebbcya.dll

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

O4 - HKCU\..\Run: [ISMPack7] "C:\Program Files\ISM2\ISMPack7.exe"
O4 - HKCU\..\Run: [ISMModule8] "C:\Program Files\ISM\ISMModule8.exe"

Please download OTMoveIt by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Program Files\ISM
C:\Program Files\ISM2
Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it into your next reply.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

I need to see the new Combofix log, the OtMoveIt log and a new HJT log please

**nurdogg** · 2007-10-27, 05:27

ComboFix 07-10-23.2 - Nuri Mathieu 2007-10-26 20:03:52.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.268 [GMT -7:00]
Running from: C:\Documents and Settings\Nuri Mathieu\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Nuri Mathieu\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\awtqr.dll
C:\WINDOWS\system32\awtsq.dll
C:\WINDOWS\system32\awtsr.dll
C:\WINDOWS\system32\ddabc.dll
C:\WINDOWS\system32\ddabx.dll
C:\WINDOWS\system32\ddayv.dll
C:\WINDOWS\system32\ddcyv.dll
C:\WINDOWS\system32\geedc.dll
C:\WINDOWS\system32\geedd.dll
C:\WINDOWS\system32\geede.dll
C:\WINDOWS\system32\jkhfd.dll
C:\WINDOWS\system32\jkhfg.dll
C:\WINDOWS\system32\jkkjk.dll
C:\WINDOWS\system32\mljge.dll
C:\WINDOWS\system32\mljgf.dll
C:\WINDOWS\system32\mljgg.dll
C:\WINDOWS\system32\mljgh.dll
C:\WINDOWS\system32\mljjh.dll
C:\WINDOWS\system32\mlljg.dll
C:\WINDOWS\system32\mlljj.dll
C:\WINDOWS\system32\mllmj.dll
C:\WINDOWS\system32\pmkhg.dll
C:\WINDOWS\system32\pmkhh.dll
C:\WINDOWS\system32\pmnlk.dll
C:\WINDOWS\system32\pmnnk.dll
C:\WINDOWS\system32\pmnnm.dll
C:\WINDOWS\system32\pmnnn.dll
C:\WINDOWS\system32\ssqpm.dll
C:\WINDOWS\system32\ssqro.dll
C:\WINDOWS\system32\ssqrp.dll
C:\WINDOWS\system32\sstqn.dll
C:\WINDOWS\system32\sstqr.dll
C:\WINDOWS\system32\sstts.dll
C:\WINDOWS\system32\vtsqo.dll
C:\WINDOWS\system32\vtstr.dll
C:\WINDOWS\system32\vtstt.dll
C:\WINDOWS\system32\vturo.dll
C:\WINDOWS\system32\vtutr.dll
C:\WINDOWS\system32\vtutu.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\awtqr.dll
C:\WINDOWS\system32\awtsq.dll
C:\WINDOWS\system32\awtsr.dll
C:\WINDOWS\system32\ddabc.dll
C:\WINDOWS\system32\ddabx.dll
C:\WINDOWS\system32\ddayv.dll
C:\WINDOWS\system32\ddcyv.dll
C:\WINDOWS\system32\geedc.dll
C:\WINDOWS\system32\geedd.dll
C:\WINDOWS\system32\geede.dll
C:\WINDOWS\system32\jkhfd.dll
C:\WINDOWS\system32\jkhfg.dll
C:\WINDOWS\system32\jkkjk.dll
C:\WINDOWS\system32\mljge.dll
C:\WINDOWS\system32\mljgf.dll
C:\WINDOWS\system32\mljgg.dll
C:\WINDOWS\system32\mljgh.dll
C:\WINDOWS\system32\mljjh.dll
C:\WINDOWS\system32\mlljg.dll
C:\WINDOWS\system32\mlljj.dll
C:\WINDOWS\system32\mllmj.dll
C:\WINDOWS\system32\pmkhg.dll
C:\WINDOWS\system32\pmkhh.dll
C:\WINDOWS\system32\pmnlk.dll
C:\WINDOWS\system32\pmnnk.dll
C:\WINDOWS\system32\pmnnm.dll
C:\WINDOWS\system32\pmnnn.dll
C:\WINDOWS\system32\ssqpm.dll
C:\WINDOWS\system32\ssqro.dll
C:\WINDOWS\system32\ssqrp.dll
C:\WINDOWS\system32\sstqn.dll
C:\WINDOWS\system32\sstqr.dll
C:\WINDOWS\system32\sstts.dll
C:\WINDOWS\system32\vtsqo.dll
C:\WINDOWS\system32\vtstr.dll
C:\WINDOWS\system32\vtstt.dll
C:\WINDOWS\system32\vturo.dll
C:\WINDOWS\system32\vtutr.dll
C:\WINDOWS\system32\vtutu.dll

.
((((((((((((((((((((((((( Files Created from 2007-09-27 to 2007-10-27 )))))))))))))))))))))))))))))))
.

2007-10-26 17:55 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-26 08:44 85,056 --a------ C:\WINDOWS\system32\hliieqhl.dll
2007-10-25 21:08 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-17 17:09 <DIR> d-------- C:\WINDOWS\system32\pod2
2007-10-17 17:09 <DIR> d-------- C:\WINDOWS\system32\cap1
2007-10-17 17:09 <DIR> d-------- C:\WINDOWS\system32\bib1
2007-10-17 17:09 <DIR> d-------- C:\WINDOWS\system32\bco2
2007-10-12 17:25 <DIR> d-------- C:\Program Files\Calorie-Count.com Toolbar
2007-10-09 18:34 582,656 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-26 06:06 --------- d-----w C:\Program Files\Trend Micro
2007-10-24 05:55 --------- d-----w C:\Program Files\Google
2007-10-24 05:53 --------- d-----w C:\Program Files\Yahoo!
2007-10-20 22:46 --------- d-----w C:\Program Files\Windows Live Safety Center
2007-10-08 18:41 --------- d-----w C:\Program Files\Picasa2
2007-09-26 03:59 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2007-09-15 17:50 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Corel
2007-09-08 23:48 --------- d-----w C:\Program Files\Lavasoft
2007-09-08 21:07 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-09-08 19:22 --------- d-----w C:\Program Files\CCleaner
2007-09-08 18:40 --------- d-----w C:\Program Files\Free Offers from Freeze.com
2007-07-23 22:27 60,968 ----a-w C:\DOCUME~1\Nuri Mathieu\GoToAssistDownloadHelper.exe
2007-07-23 22:13 60,968 ----a-w C:\DOCUME~1\Administrator\GoToAssistDownloadHelper.exe
2006-09-14 07:09 81,920 ----a-w C:\Documents and Settings\Nuri Mathieu\Application Data\ezpinst.exe
2006-09-14 07:09 81,920 ----a-w C:\DOCUME~1\NURIMA~1\APPLIC~1\ezpinst.exe
2006-09-14 07:09 47,360 ----a-w C:\Documents and Settings\Nuri Mathieu\Application Data\pcouffin.sys
2006-09-14 07:09 47,360 ----a-w C:\DOCUME~1\NURIMA~1\APPLIC~1\pcouffin.sys
2006-07-29 02:02:39 88 -csh--r C:\WINDOWS\system32\2107AEBFDA.sys
.

((((((((((((((((((((((((((((( snapshot@2007-10-26_18.56.08.67 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-10-27 03:15:56 40,960 ----a-w C:\WINDOWS\TEMP\rtdrvmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [2007-03-07 10:58]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 02:56]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 15:48]
"SigmatelSysTrayApp"="stsystra.exe" [2005-09-09 21:19 C:\WINDOWS\stsystra.exe]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-04-15 05:58]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"Lexmark 1200 Series"="C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe" [2006-03-16 00:07]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 08:44]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 08:44]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 12:59]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 18:49]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 18:50]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 18:46]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 12:01]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2006-05-03 03:12]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 03:20]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-12-15 08:44]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 15:53]
"c0ae0922"="C:\WINDOWS\system32\hliieqhl.dll" [2007-10-26 08:44]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 03:00]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [2006-08-04 16:15]
"ISMPack7"="C:\Program Files\ISM2\ISMPack7.exe" []
"ISMModule8"="C:\Program Files\ISM\ISMModule8.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 14:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

S3 USA19H;USA19H;C:\WINDOWS\system32\DRIVERS\USA19H2k.sys
S3 USA19H2KP;Keyspan USB Serial Port Driver;C:\WINDOWS\system32\DRIVERS\USA19H2kp.SYS

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command

.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-26 20:16:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-26 20:18:07 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-26 18:56
.
--- E O F ---

**nurdogg** · 2007-10-27, 05:29

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:27:49 PM, on 10/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PccGuide.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Nuri Mathieu\Desktop\OTMoveIt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = actsvr.comcastonline.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark 1200 Series] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [c0ae0922] rundll32.exe "C:\WINDOWS\system32\hliieqhl.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe"
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Calorie-Count.com Toolbar - {B7D3E479-CC68-42B5-A338-938ECE35F419} - (no file)
O9 - Extra 'Tools' menuitem: Calorie-Count.com Toolbar - {B7D3E479-CC68-42B5-A338-938ECE35F419} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase2895.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1187559518296
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9300 bytes

File/Folder not found.
File/Folder C:\Program Files\ISM not found.
File/Folder C:\Program Files\ISM2 not found.

Created on 10/26/2007 20:25:19

**ken545** · 2007-10-27, 12:37

Good Morning,

We need to make sure all hidden files are showing :

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide file extensions for known types option.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Once your system is clean, we suggest that you reverse this to keep critical windows files from accidently being deleted.

Go to this site Jotti Upload and under the browse feature, browse to this file
C:\WINDOWS\system32\hliieqhl.dll

Then click on Submit, it will give you a report, post the report in your next reply.

Your Java is out of date and leaving your system vulnerable.
Go to your Add-Remove Programs in the Control Panel and uninstall any previous versions of Java (J2SE Runtime Environment)
It should have an icon next to it:

Select it and click Remove.
Reboot your system.
Then go to the Sun Microsystems and install the update
Java Runtime Environment Version 6 Update 3 <--This is what you need to download and install.
If you chose the online installation, it will prompt you to run the program.
If you chose the offline installation, you will be prompted to save the file and you can run it from wherever you saved it.
Then after install you can verify your installation here Sun Java Verify

I like to to do the offline installation and save the setup file in case I may need it in the future

What we removed was a serious Vundo infection and the thieves have written it to evade a HJT scan and by renaming it if any of it is still present it will show up on your log, so do this please.

This is important, do this before you post a HJT log
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe<-- Right click on Hijackthis.exe ( looks like a man with a spyglass )and rename it to Scanner.exe

**nurdogg** · 2007-10-27, 20:03

Service
Service load:
0% 100%
File: hliieqhl.dll
Status:
OK
MD5: 1055ef05f25f240b72b9842f2caa7c6b
Packers detected:
-
Bit9 reports: File not found

Scanner results
Scan taken on 27 Oct 2007 17:29:06 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

Last file scanned at least one scanner reported something about: ldr.exe (MD5: 8fa60eca819340f2fd769a2e8683e8e4, size: 42496 bytes), detected by:

Scanner Malware name
A-Squared X
AntiVir X
ArcaVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
CPsecure X
Dr.Web X
F-Prot Antivirus X
F-Secure Anti-Virus X
Fortinet X
Kaspersky Anti-Virus X
NOD32 X
Norman Virus Control X
Panda Antivirus X
Rising Antivirus X
Sophos Antivirus Mal/Behav-066
VirusBuster X
VBA32 X

You're free to (mis)interpret these automated, flawed statistics at your own discretion. For antivirus comparisons, visit AV comparatives
We are not affiliated with any third parties that conduct tests using this service.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:58:49 AM, on 10/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PccGuide.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = actsvr.comcastonline.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark 1200 Series] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [c0ae0922] rundll32.exe "C:\WINDOWS\system32\hliieqhl.dll",b
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe"
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Calorie-Count.com Toolbar - {B7D3E479-CC68-42B5-A338-938ECE35F419} - (no file)
O9 - Extra 'Tools' menuitem: Calorie-Count.com Toolbar - {B7D3E479-CC68-42B5-A338-938ECE35F419} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase2895.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1187559518296
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9284 bytes

**ken545** · 2007-10-27, 21:04

Your log looks fine

Do a windows search for this one ldr.exe Let me know if its present and where the file is located.

How are things running now ??

Thread: Multiple malware/viruses; need help

Thread Tools

Display

Multiple malware/viruses; need help

Combofix log

New HJT log

new Combofix log

New HJT log and OTMoveIt results

Jotti scan results + new HJT log

Posting Permissions