Virus alert: Help

**stevee231** · 2007-11-26, 22:46

IE crash number 5 while trying to post Here is the HJT log

HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:04:51 AM, on 27/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrust Vet Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe
C:\WINDOWS\system32\mdm3.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\NETGEAR\WN311B\Utility\WN311B.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre0.dll
O2 - BHO: IP - {000051AF-07E2-461B-BA37-A2AF7E652E7D} - C:\Documents and Settings\All Users\Application Data\ipd\ipb.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre0.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: DealioBHO Class - {6A87B991-A31F-4130-AE72-6D0C294BF082} - C:\Program Files\Dealio\kb124\Dealio.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Module - {A2487E9B-AAE5-4d21-ADDE-1F342354974A} - supstar1.dll (file missing)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre0.dll
O3 - Toolbar: Dealio - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - C:\Program Files\Dealio\kb124\Dealio.dll
O4 - HKLM\..\Run: [IntelliPoint] -"C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [AS00_WN311B] -C:\Program Files\NETGEAR\WN311B\Utility\WN311B.exe -hide
O4 - HKLM\..\Run: [NvCplDaemon] -RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] -nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] -RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [OpwareSE2] -"C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [type32] -"C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [dla] -C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] -"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [NVMixerTray] -"C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [QuickTime Task] -"C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] -"C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UpdReg] -C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] -"C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] -"C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [HostManager] -C:\Program Files\Common Files\AOL\1180266560\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] -"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [nForce Tray Options] -sstray.exe /r
O4 - HKLM\..\Run: [NWEReboot] -
O4 - HKLM\..\Run: [NeroFilterCheck] -C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] -C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [CreativeMouse ] -C:\Program Files\Mouse Driver\MouseDrv.exe
O4 - HKLM\..\Run: [CloneCDTray] -"C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [{E4-43-32-23-ZN}] -c:\windows\system32\dwdsregt.exe OLI001
O4 - HKLM\..\Run: [au] -C:\Program Files\Dealio\DealioAU.exe
O4 - HKLM\..\Run: [Winupdates] mdm3.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Vet Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe"
O4 - HKCU\..\Run: [QuickTime Task] -"C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] -"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] -"C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\Gail\Local Settings\Temp\bundle.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Compare Prices with &Dealio - C:\Documents and Settings\Gail\Application Data\Dealio\kb124\res\DealioSearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb124\Dealio.dll
O9 - Extra 'Tools' menuitem: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb124\Dealio.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-AU/.../GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - -"C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe" (file missing)
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - -C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe (file missing)
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: iPod Service - Unknown owner - -"C:\Program Files\iPod\bin\iPodService.exe" (file missing)
O23 - Service: Machine Debug Manager (MDM) - Unknown owner - -"C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE" (file missing)
O23 - Service: Microsoft Office Groove Audit Service - Unknown owner - -"C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe" (file missing)
O23 - Service: WinFast(R) Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Microsoft Office Diagnostics Service (odserv) - Unknown owner - -"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE" (file missing)
O23 - Service: Office Source Engine (ose) - Unknown owner - -"C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" (file missing)
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - Unknown owner - -C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIb\Win32\RpcDataSrv.exe (file missing)
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - Unknown owner - -C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIb\RpcSandraSrv.exe (file missing)
O23 - Service: Messenger Sharing Folders USN Journal Reader service (usnjsvc) - Unknown owner - -"C:\Program Files\MSN Messenger\usnsvc.exe" (file missing)
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - -"C:\Program Files\Windows Media Player\WMPNetwk.exe" (file missing)

--
End of file - 12894 bytes

Will post Kaspersky next post Thanx in advance guys

**stevee231** · 2007-11-26, 23:04

ahhhhhh damn IE crashes

Kaspersky to long Breakdown is 7 viruses; 14 Infections

Anything else I can give you to help just let me know, Will try and put a rundown of problems in another post. just over the crashing

**stevee231** · 2007-11-26, 23:07

Basically IE crashing (obviously) and opening dummy windows

Run, Task manager and regedit were disabled (I fixed this before I came to the forum)

Alot of my start up programs have stopped working like Netgear Manager so I have to start it to get online, and messenger things like that are all disabled to start

This is my parents computer and it seems full of crap so any help you can give me would be appreciated.

**pskelley** · 2007-12-01, 13:14

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

For your information:

Posting additional comments or logs before a volunteer responds, can push you back instead of forward, because your thread ends up with a newer date. Also, helpers may think you are already being assisted because of the post count. The same applies to bumping, please don't.

I am not sure if this is just junk on the computer or something hidden? Let's clean what I see, and see what happens.

1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

3) TeaTimer will block changes we must make, use these instruction to turn it off until we are done.
http://russelltexas.com/malware/teatimer.htm

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R3 - URLSearchHook: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre0.dll
O2 - BHO: IP - {000051AF-07E2-461B-BA37-A2AF7E652E7D} - C:\Documents and Settings\All Users\Application Data\ipd\ipb.dll
O2 - BHO: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre0.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Module - {A2487E9B-AAE5-4d21-ADDE-1F342354974A} - supstar1.dll (file missing)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre0.dll
O4 - HKLM\..\Run: [{E4-43-32-23-ZN}] -c:\windows\system32\dwdsregt.exe OLI001
O4 - HKLM\..\Run: [Winupdates] mdm3.exe
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\Gail\Local Settings\Temp\bundle.exe
O8 - Extra context menu item: Compare Prices with &Dealio - C:\Documents and Settings\Gail\Application Data\Dealio\kb124\res\DealioSearch.html
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe

Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\WINDOWS\system32\mdm3.exe <<< delete that file

c:\windows\system32\dwdsregt.exe <<< delete that file

C:\Documents and Settings\Gail\Local Settings\Temp\ <<< delete the contents of that Temp folder (not the folder)

6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart, post a new HJT log and some feedback.

Thanks

I do need to see the Kaspersky, if you think you can post the items marked infected without missing any, go ahead.

Internet Explorer v6.00 <<< as soon as the computer is running right, I suggest you update to IE7if just for the additional security it affords. Do not do this until we are finished.
http://www.microsoft.com/windows/pro...e/default.mspx

**stevee231** · 2007-12-02, 01:18

Thanx pskelley, I appreciate your help immensely. I just thought I should mention before I got into the nitty gritty of removal that I may have accidentaly already upgraded to
IE7

Now should I roll back these changes or can we work around it. sorry if this action has stuffed things up.

If you would like me to post a new HJT Log I will do so.

Here is the Kaspersky Log with the malware and viruses.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, November 29, 2007 5:57:09 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/11/2007
Kaspersky Anti-Virus database records: 468005
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 106424
Number of viruses found: 7
Number of infected objects: 14
Number of suspicious objects: 0
Duration of the scan process: 01:33:12

C:\dnloi.exe Infected: Trojan.Win32.Agent.cxs skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NewDotNet.zip/NDNuninstall6_38.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NewDotNet.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCCoreService10.zip/core.sys Infected: Rootkit.Win32.Agent.eq skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCCoreService10.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZenoSearch.zip/dwdsregt.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZenoSearch.zip ZIP: infected - 1 skipped
C:\System Volume Information\_restore{7146D74B-D944-42FA-8197-867ADE313B8C}\RP256\A0048710.dll Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\System Volume Information\_restore{7146D74B-D944-42FA-8197-867ADE313B8C}\RP256\A0048777.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\System Volume Information\_restore{7146D74B-D944-42FA-8197-867ADE313B8C}\RP256\A0048779.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\System Volume Information\_restore{7146D74B-D944-42FA-8197-867ADE313B8C}\RP256\A0048824.exe Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\System Volume Information\_restore{7146D74B-D944-42FA-8197-867ADE313B8C}\RP256\A0049025.sys Infected: Rootkit.Win32.Agent.eq skipped
C:\WINDOWS\system32\dxdllreg.exe Infected: Trojan-Downloader.Win32.Agent.dcy skipped
C:\WINDOWS\system32\mdm3.exe Infected: Trojan-Downloader.Win32.Agent.fje skipped

**pskelley** · 2007-12-02, 01:36

That's not a problem, updating to IE7, it's the right thing to do, just the wrong time. I would have liked to see if the malware we removed was causing the problem or the old version of IE, and now we will never know.

KASPERSKY ONLINE SCANNER REPORT Thursday, November 29, 2007 5:57:09 PM
Number of infected objects: 14

(we may have killed some of this stuff with the last instructions, just check to be sure)

C:\dnloi.exe <<< delete that file

C:\WINDOWS\system32\dxdllreg.exe <<< delete that file

C:\WINDOWS\system32\mdm3.exe <<< delete that file

(6) C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ <<< clean the contents of that Recovery folder.
http://ict.cas.psu.edu/training/howt...vespybot.htm#1

Restart the computer:

The rest are in System Restore, these instructions will clean it:
http://www.microsoft.com/windowsxp/u...s/mcgill1.mspx

I have seen the Rootkit word a couple of time, please let combofix have a look:
Thanks to sUBs and anyone else who helped with this fix.

Download ComboFix from Here or Here to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Thanks

**stevee231** · 2007-12-02, 04:26

alrightie, I have done this all except:

c:\windows\system32\dwdsregt.exe <<< delete that file

I coulnt find this file.

ummm that "Dealio" toolbar, I never installed that program if just appeared when this got unbearable. Should I get rid of that also. Things seem to be running a bit better, IE is certainly starting up quicker. Although I noticed that Spybot is taking an unusual amount of time to start.

Could you also help me with this, ever since the infection neither of these run at startup anymore. Although this is how it is setup. I assume its the flags at the end that are stopping it. We can leave this till later.

O4 - HKLM\..\Run: [AS00_WN311B] -C:\Program Files\NETGEAR\WN311B\Utility\WN311B.exe -hide

O4 - HKCU\..\Run: [msnmsgr] -"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

I did go into the registry but neither of these entries were there??????

It also disabled Start/Run, Task manager and Regedit. Although I fixed these before I came to the forum

Ok Logs

HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:32:36 PM, on 2/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrust Vet Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\NETGEAR\WN311B\Utility\WN311B.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: (no name) - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: DealioBHO Class - {6A87B991-A31F-4130-AE72-6D0C294BF082} - C:\Program Files\Dealio\kb124\Dealio.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Dealio - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - C:\Program Files\Dealio\kb124\Dealio.dll
O4 - HKLM\..\Run: [IntelliPoint] -"C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [AS00_WN311B] -C:\Program Files\NETGEAR\WN311B\Utility\WN311B.exe -hide
O4 - HKLM\..\Run: [NvCplDaemon] -RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] -nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] -RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [OpwareSE2] -"C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [type32] -"C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [dla] -C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] -"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [NVMixerTray] -"C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [QuickTime Task] -"C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] -"C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UpdReg] -C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] -"C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] -"C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [HostManager] -C:\Program Files\Common Files\AOL\1180266560\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] -"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [nForce Tray Options] -sstray.exe /r
O4 - HKLM\..\Run: [NWEReboot] -
O4 - HKLM\..\Run: [NeroFilterCheck] -C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] -C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [CreativeMouse ] -C:\Program Files\Mouse Driver\MouseDrv.exe
O4 - HKLM\..\Run: [CloneCDTray] -"C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [au] -C:\Program Files\Dealio\DealioAU.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Vet Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe"
O4 - HKCU\..\Run: [QuickTime Task] -"C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] -"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] -"C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb124\Dealio.dll
O9 - Extra 'Tools' menuitem: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb124\Dealio.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-AU/.../GAME_UNO1.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1196222664953
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - -"C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe" (file missing)
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - -C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe (file missing)
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: iPod Service - Unknown owner - -"C:\Program Files\iPod\bin\iPodService.exe" (file missing)
O23 - Service: Machine Debug Manager (MDM) - Unknown owner - -"C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE" (file missing)
O23 - Service: Microsoft Office Groove Audit Service - Unknown owner - -"C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe" (file missing)
O23 - Service: WinFast(R) Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Office Source Engine (ose) - Unknown owner - -"C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" (file missing)
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - Unknown owner - -C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIb\Win32\RpcDataSrv.exe (file missing)
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - Unknown owner - -C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIb\RpcSandraSrv.exe (file missing)
O23 - Service: Messenger Sharing Folders USN Journal Reader service (usnjsvc) - Unknown owner - -"C:\Program Files\MSN Messenger\usnsvc.exe" (file missing)
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - -"C:\Program Files\Windows Media Player\WMPNetwk.exe" (file missing)

--
End of file - 11616 bytes

**stevee231** · 2007-12-02, 04:30

Combofix Log

ComboFix 07-12-02.5 - Gail 2007-12-02 12:51:49.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.618 [GMT 11:00]
Running from: C:\Documents and Settings\Gail\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Gail\Start Menu\Programs\Startup\ta_start.lnk
C:\WINDOWS\system32\alog.txt
C:\WINDOWS\system32\conf.dat
C:\WINDOWS\system32\xpdx.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CORE
-------\xpdx

((((((((((((((((((((((((( Files Created from 2007-11-02 to 2007-12-02 )))))))))))))))))))))))))))))))
.

2007-12-01 02:23 . 2007-12-01 02:23 97,216 --a------ C:\WINDOWS\system32\drivers\AnyDVD.sys
2007-11-29 06:48 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-11-29 06:48 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2007-11-28 15:42 . 2007-08-20 21:04 6,058,496 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-11-28 15:42 . 2007-04-17 20:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-11-28 15:42 . 2007-03-08 16:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-11-28 15:42 . 2007-08-20 21:04 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-11-28 15:42 . 2007-08-20 21:04 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-11-28 15:42 . 2007-08-20 21:04 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-11-28 15:42 . 2007-08-20 21:04 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-11-28 15:42 . 2007-08-20 21:04 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-11-28 15:42 . 2007-08-17 21:20 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-11-28 15:24 . 2007-11-28 15:24 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-11-27 15:56 . 2007-11-27 15:56 330 --a------ C:\WINDOWS\cdPlayer.ini
2007-11-27 15:38 . 2007-11-27 15:52 28,276 --a------ C:\WINDOWS\system32\drivers\MxlW2k.sys
2007-11-27 15:37 . 2007-11-27 15:38 <DIR> d-------- C:\Program Files\MUSICMATCH
2007-11-27 08:04 . 2007-11-27 08:04 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-26 10:39 . 2007-11-26 10:39 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-26 10:39 . 2007-11-26 10:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-26 09:54 . 2007-11-26 09:54 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-26 09:54 . 2007-11-26 09:54 <DIR> d-------- C:\Documents and Settings\Gail\Application Data\Lavasoft
2007-11-26 07:52 . 2007-12-02 12:58 <DIR> d-------- C:\WINDOWS\CAVTemp
2007-11-26 07:03 . 2007-11-26 07:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CA
2007-11-26 07:03 . 2007-11-26 07:03 26,787 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2007-11-26 07:02 . 2007-11-26 07:02 <DIR> d-------- C:\Program Files\CA
2007-11-26 07:01 . 2007-11-26 08:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-26 06:40 . 2007-11-26 06:40 1 --a------ C:\WINDOWS\system32\rc.dat
2007-11-26 06:40 . 2007-11-26 06:40 1 --a------ C:\WINDOWS\system32\ps1.dat
2007-11-26 06:40 . 2007-11-26 06:40 1 --a------ C:\WINDOWS\system32\cookie1.dat
2007-11-26 06:39 . 2007-11-26 06:39 <DIR> d-------- C:\Program Files\Dealio
2007-11-26 06:39 . 2007-11-26 06:39 <DIR> d-------- C:\Program Files\Common Files\SWF Studio
2007-11-26 06:39 . 2007-11-26 06:39 <DIR> d-------- C:\Documents and Settings\Gail\Application Data\Dealio
2007-11-26 06:39 . 2007-11-26 06:39 52,736 --a------ C:\WINDOWS\system32\supstar1.dll
2007-11-26 06:39 . 2007-11-26 06:39 8,464 --a------ C:\WINDOWS\system32\sporder.dll
2007-11-26 06:39 . 2007-11-26 06:40 2 --a------ C:\-1737604317
2007-11-26 06:38 . 2007-11-26 06:38 <DIR> d-------- C:\Documents and Settings\Gail\Application Data\IBPlugin
2007-11-26 06:38 . 2007-11-26 06:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Tarma Installer
2007-11-26 06:38 . 2007-12-02 12:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ipd
2007-11-24 03:25 . 2007-11-24 03:25 <DIR> d-------- C:\Documents and Settings\Gail\Application Data\Windows Desktop Search
2007-11-24 03:23 . 2007-11-24 03:23 <DIR> d-------- C:\Program Files\Windows Desktop Search
2007-11-23 09:02 . 2007-11-23 09:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SlySoft
2007-11-23 07:53 . 2007-11-23 08:40 <DIR> d-------- C:\Program Files\DVD Region+CSS Free Lite
2007-11-23 07:53 . 2007-11-23 07:53 67 --a------ C:\WINDOWS\DVDRegionFreeLite.INI
2007-11-16 04:03 . 2007-11-16 04:03 <DIR> d--h----- C:\WINDOWS\PIF
2007-11-14 23:05 . 2003-12-12 16:06 1,693,696 --a------ C:\WINDOWS\system32\ltclr13n.dll
2007-11-14 23:05 . 2003-11-04 15:11 155,648 --a------ C:\WINDOWS\system32\lftif13n.dll
2007-11-14 23:05 . 2003-11-04 15:10 98,304 --a------ C:\WINDOWS\system32\lffax13n.dll
2007-11-14 01:44 . 2007-11-14 01:44 <DIR> d-------- C:\Program Files\DVD Shrink
2007-11-14 01:44 . 2007-11-14 01:44 <DIR> d-------- C:\Program Files\DVD Decrypter
2007-11-14 01:44 . 2007-11-29 14:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-11-08 20:56 . 1997-12-23 02:00 48,128 --a------ C:\WINDOWS\system32\WNASPI32.DLL
2007-11-08 20:56 . 1997-12-23 02:00 23,936 --a------ C:\WINDOWS\system32\drivers\ASPI32.SYS
2007-11-08 20:56 . 1997-12-23 02:00 5,600 --a------ C:\WINDOWS\system\WINASPI.DLL
2007-11-08 20:56 . 1997-12-23 02:00 4,672 --a------ C:\WINDOWS\system\WOWPOST.EXE
2007-11-08 18:37 . 2007-11-23 09:02 48 ---hs---- C:\WINDOWS\S129F18E5.tmp
2007-11-08 18:36 . 2007-11-23 08:58 <DIR> d-------- C:\Program Files\SlySoft
2007-11-08 18:12 . 2007-11-24 02:54 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-11-08 18:12 . 2007-11-08 18:12 1,409 --a------ C:\WINDOWS\QTFont.for
2007-11-04 12:58 . 2007-11-04 13:41 <DIR> d-------- C:\Program Files\XviD2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-28 04:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-11-27 10:27 --------- d-----w C:\Program Files\PartyGaming
2007-11-27 04:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-25 20:03 879,832 ----a-w C:\WINDOWS\system32\drivers\VetEFile.sys
2007-11-25 20:03 108,360 ----a-w C:\WINDOWS\system32\drivers\VetEBoot.sys
2007-11-25 20:02 75,304 ----a-w C:\WINDOWS\system32\VetRedir.dll
2007-11-25 20:02 21,031 ----a-w C:\WINDOWS\system32\drivers\Vet-Filt.sys
2007-11-25 20:02 15,735 ----a-w C:\WINDOWS\system32\drivers\VetFDDNT.sys
2007-11-25 20:02 15,478 ----a-w C:\WINDOWS\system32\drivers\Vet-Rec.sys
2007-11-25 20:02 116,264 ----a-w C:\WINDOWS\UnVet32.exe
2007-11-25 20:02 112,168 ----a-w C:\WINDOWS\AVShlExt.dll
2007-11-25 19:29 --------- d-----w C:\Documents and Settings\Gail\Application Data\uTorrent
2007-11-22 18:44 --------- d-----w C:\Program Files\Windows Live Safety Center
2007-11-17 13:10 --------- d-----w C:\Program Files\Google
2007-11-15 06:27 --------- d-----w C:\Program Files\Freecorder
2007-11-04 01:52 --------- d-----w C:\Program Files\XviD
2007-10-30 21:04 --------- d-----w C:\Program Files\Freecorder Toolbar
2007-10-24 18:12 --------- d-----w C:\Program Files\WIDCOMM
2007-10-24 16:59 --------- d-----w C:\Program Files\Mouse Driver
2007-10-23 18:40 --------- d-----w C:\Program Files\Java
2003-03-15 16:00 7,216 ----a-w C:\WINDOWS\inf\RAMDISK.SYS
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{000051AF-07E2-461B-BA37-A2AF7E652E7D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A2487E9B-AAE5-4d21-ADDE-1F342354974A}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="-C:\Program Files\QuickTime\qttask.exe" []
"msnmsgr"="-C:\Program Files\MSN Messenger\MsnMsgr.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 23:00]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="-C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" []
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2007-12-01 02:28]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="-C:\Program Files\Microsoft IntelliPoint\point32.exe" []
"AS00_WN311B"="-C:\Program Files\NETGEAR\WN311B\Utility\WN311B.exe" []
"NvCplDaemon"="-RUNDLL32.exe" []
"nwiz"="-nwiz.exe" []
"NvMediaCenter"="-RUNDLL32.exe" []
"OpwareSE2"="-C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" []
"type32"="-C:\Program Files\Microsoft IntelliType Pro\type32.exe" []
"dla"="-C:\WINDOWS\system32\dla\tfswctrl.exe" []
"StorageGuard"="-C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" []
"NVMixerTray"="-C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" []
"QuickTime Task"="-C:\Program Files\QuickTime\qttask.exe" []
"iTunesHelper"="-C:\Program Files\iTunes\iTunesHelper.exe" []
"UpdReg"="-C:\WINDOWS\UpdReg.EXE" []
"SunJavaUpdateSched"="-C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" []
"GrooveMonitor"="-C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" []
"HostManager"="-C:\Program Files\Common Files\AOL\1180266560\ee\AOLSoftware.exe" []
"Adobe Reader Speed Launcher"="-C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" []
"nForce Tray Options"="-sstray.exe" []
"NWEReboot"="-" []
"NeroFilterCheck"="-C:\WINDOWS\system32\NeroCheck.exe" []
"PWRISOVM.EXE"="-C:\Program Files\PowerISO\PWRISOVM.EXE" []
"CreativeMouse "="-C:\Program Files\Mouse Driver\MouseDrv.exe" []
"CloneCDTray"="-C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" []
"au"="-C:\Program Files\Dealio\DealioAU.exe" []
"CaAvTray"="C:\Program Files\CA\eTrust Vet Antivirus\CAVTray.exe" [2007-11-26 07:02]
"CAVRID"="C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe" [2007-11-26 07:02]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-02-28 23:00]

C:\Documents and Settings\Gail\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 21:24:54]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2005-07-22 17:50:16]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 15:40:46]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-04-11 12:10:00]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]

R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;C:\WINDOWS\system32\DRIVERS\SI3112r.sys
R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\Cinemsup.sys
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\system32\drivers\WmBEnum.sys
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\system32\drivers\WmXlCore.sys
S3 AWINDIS5;AWINDIS5 Protocol Driver;\??\C:\WINDOWS\system32\AWINDIS5.SYS
S3 kwwalpgr;kwwalpgr;\??\C:\DOCUME~1\Gail\LOCALS~1\Temp\kwwalpgr.sys
S3 WmFilter;Logitech WingMan HID Filter Driver;C:\WINDOWS\system32\drivers\WmFilter.sys
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\system32\drivers\WmVirHid.sys

.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-02 12:58:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-02 13:00:15 - machine was rebooted
.
--- E O F ---

Ok pskelley, thankyou for all your help so far. other than that dealio thing it looks alot cleaner. I will do a kaspersky scan again that way if you want it its done.

**stevee231** · 2007-12-02, 10:35

I just wanted to let you know that the help I requested for the registry entries is not needed. Have fixed the problem. amazing how much effect a hyphen has on something lol

so ignore this bit in the first reply

O4 - HKLM\..\Run: [AS00_WN311B] -C:\Program Files\NETGEAR\WN311B\Utility\WN311B.exe -hide

O4 - HKCU\..\Run: [msnmsgr] -"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

I did go into the registry but neither of these entries were there?????? -----

(dah yes they were lol)

**pskelley** · 2007-12-02, 11:32

Thanks for returning your information and the feedback, good that we ran combofix, it did find junk but did not find any rootkit infections. You can delete combofix and the C:\qoobox\quarantine\ folder.

Use HJT to remove this dead line
R3 - URLSearchHook: (no name) - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - (no file)

This tool bar is ok according to CC, keep it if you wish
http://www.castlecops.com/clsid-28447.html

If Kaspersky found anything you have questions about...post it, otherwise you should be good to go

http://www.microsoft.com/windowsxp/u...s/mcgill1.mspx

Some good information for you:
http://users.telenet.be/bluepatchy/m...wcomputer.html

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/m...revention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

Thread: Virus alert: Help

Thread Tools

Display

Virus alert: Help

oops

gettin there

I know I shouldnt post again

Posting Permissions