PDA

View Full Version : Command Service problem



ggclarke
2007-08-29, 07:46
Something keeps taking over IE and directing me to sites I definitely do NOT want to go to. Spybot-S&D detected both Command Service and Smitfraud-C.CoreService. It was able to get rid of the Smitfraud when I rand Spybot-S&D in safe mode, but Command Service remains.

I've done a Kaspersky and the HJT for your reference.

Thanks in advance for your help!!


HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:27:46 AM, on 8/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1157496611\ee\aolsoftware.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\??stem\s?anregw.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\America Online 8.0\aoltray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Greetings Workshop\GWREMIND.EXE
C:\Program Files\ISM\ISMModule3.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: BndDrive2 BHO Class - {8B27CC68-110C-46a9-80D3-F3107DE6EB98} - C:\Program Files\ISM\BndDrive2.dll
O2 - BHO: (no name) - {9D90FC58-1FBB-4E3F-BF5A-4D76111C02C3} - C:\WINDOWS\system32\fzrehi.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1157496611\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Khnha] C:\WINDOWS\SYSTEM32\?racle\?hkntfs.exe
O4 - HKCU\..\Run: [Tlyocsfi] C:\WINDOWS\W?nSxS\?hkntfs.exe
O4 - HKCU\..\Run: [Cieytvwv] "C:\Program Files\Common Files\??stem\s?anregw.exe"
O4 - HKCU\..\Run: [ISMModule3] "C:\Program Files\ISM\ISMModule3.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,15/mcgdmgr.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - file://E:\Bin\html\files\MotivePreQual.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v5.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 11708 bytes

ggclarke
2007-08-29, 07:51
Here's the Kaspersky:

KASPERSKY ONLINE SCANNER REPORT
Tuesday, August 28, 2007 11:37:35 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 29/08/2007
Kaspersky Anti-Virus database records: 395401


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 152498
Number of viruses found 17
Number of infected objects 53
Number of suspicious objects 2
Duration of the scan process 01:22:12

Infected Object Name Virus Name Last Action
C:\43.tmp/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped

C:\43.tmp NSIS: infected - 1 skipped

C:\44.tmp/stream/data0003 Infected: not-a-virus:AdWare.Win32.Agent.ay skipped

C:\44.tmp/stream Infected: not-a-virus:AdWare.Win32.Agent.ay skipped

C:\44.tmp NSIS: infected - 2 skipped

C:\D4.tmp/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped

C:\D4.tmp NSIS: infected - 1 skipped

C:\D5.tmp/stream/data0003 Infected: not-a-virus:AdWare.Win32.Agent.ay skipped

C:\D5.tmp/stream Infected: not-a-virus:AdWare.Win32.Agent.ay skipped

C:\D5.tmp NSIS: infected - 2 skipped

C:\DC.tmp/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped

C:\DC.tmp NSIS: infected - 1 skipped

C:\DE.tmp/stream/data0003 Infected: not-a-virus:AdWare.Win32.Agent.ay skipped

C:\DE.tmp/stream Infected: not-a-virus:AdWare.Win32.Agent.ay skipped

C:\DE.tmp NSIS: infected - 2 skipped

C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\YazzleSudoku.zip/Yazzle1552OinUninstaller.exe Suspicious: Password-protected-EXE skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\YazzleSudoku.zip ZIP: suspicious - 1 skipped

C:\Documents and Settings\Gregory Clarke\Application Data\GTek\GTUpdate\AUpdate\DellSupport\DSAgnt.log Object is locked skipped

C:\Documents and Settings\Gregory Clarke\Application Data\GTek\GTUpdate\AUpdate\DellSupport\DSAgnt_GTActions.log Object is locked skipped

C:\Documents and Settings\Gregory Clarke\Application Data\GTek\GTUpdate\AUpdate\DellSupport\gdql_d_DSAgnt.log Object is locked skipped

C:\Documents and Settings\Gregory Clarke\Application Data\GTek\GTUpdate\AUpdate\DellSupport\glog.log Object is locked skipped

C:\Documents and Settings\Gregory Clarke\Cookies\INDEX.DAT Object is locked skipped

C:\Documents and Settings\Gregory Clarke\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped

C:\Documents and Settings\Gregory Clarke\Local Settings\Application Data\ApplicationHistory\cli.exe.c88dbd71.ini.inuse Object is locked skipped

C:\Documents and Settings\Gregory Clarke\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Gregory Clarke\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Gregory Clarke\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped

C:\Documents and Settings\Gregory Clarke\Local Settings\Temp\!update.exe Object is locked skipped

C:\Documents and Settings\Gregory Clarke\Local Settings\Temp\ismupd1.exe/data0002 Infected: not-a-virus:AdWare.Win32.Agent.br skipped

C:\Documents and Settings\Gregory Clarke\Local Settings\Temp\ismupd1.exe NSIS: infected - 1 skipped

C:\Documents and Settings\Gregory Clarke\Local Settings\Temp\Perflib_Perfdata_258.dat Object is locked skipped

C:\Documents and Settings\Gregory Clarke\Local Settings\Temp\Perflib_Perfdata_ba4.dat Object is locked skipped

C:\Documents and Settings\Gregory Clarke\Local Settings\Temp\Perflib_Perfdata_cf0.dat Object is locked skipped

C:\Documents and Settings\Gregory Clarke\Local Settings\Temp\Perflib_Perfdata_cf8.dat Object is locked skipped

C:\Documents and Settings\Gregory Clarke\Local Settings\Temp\Temporary Internet Files\Content.IE5\S9BJIV7X\goo[1].htm Object is locked skipped

C:\Documents and Settings\Gregory Clarke\Local Settings\Temporary Internet Files\Content.IE5\7BS7X18E\n404-4[1].htm Infected: Trojan-Downloader.HTML.Agent.ff skipped

C:\Documents and Settings\Gregory Clarke\Local Settings\Temporary Internet Files\Content.IE5\IM7RTMNE\n404-6[1].htm Infected: Trojan-Downloader.HTML.Agent.ff skipped

C:\Documents and Settings\Gregory Clarke\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Gregory Clarke\ntuser.dat Object is locked skipped

C:\Documents and Settings\Gregory Clarke\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Program Files\ISM\BndDrive.dll Infected: not-a-virus:AdWare.Win32.Agent.ay skipped

C:\Program Files\Outerinfo\OiUninstaller.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped

C:\Program Files\Outerinfo\OiUninstaller.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped

C:\Program Files\Outerinfo\OiUninstaller.exe NSIS: infected - 2 skipped

C:\System Volume Information\catalog.wci\00000002.ps1 Object is locked skipped

C:\System Volume Information\catalog.wci\00000002.ps2 Object is locked skipped

C:\System Volume Information\catalog.wci\00010004.ci Object is locked skipped

C:\System Volume Information\catalog.wci\cicat.fid Object is locked skipped

C:\System Volume Information\catalog.wci\cicat.hsh Object is locked skipped

C:\System Volume Information\catalog.wci\CiCL0001.000 Object is locked skipped

C:\System Volume Information\catalog.wci\CiP10000.000 Object is locked skipped

C:\System Volume Information\catalog.wci\CiP20000.000 Object is locked skipped

C:\System Volume Information\catalog.wci\CiPT0000.000 Object is locked skipped

C:\System Volume Information\catalog.wci\CiSL0001.000 Object is locked skipped

C:\System Volume Information\catalog.wci\CiSP0000.000 Object is locked skipped

C:\System Volume Information\catalog.wci\CiST0000.000 Object is locked skipped

C:\System Volume Information\catalog.wci\CiVP0000.000 Object is locked skipped

C:\System Volume Information\catalog.wci\INDEX.000 Object is locked skipped

C:\System Volume Information\catalog.wci\propstor.bk1 Object is locked skipped

C:\System Volume Information\catalog.wci\propstor.bk2 Object is locked skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1316\A0112362.exe Infected: not-a-virus:AdWare.Win32.Rond.a skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1316\A0112476.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1317\A0112505.exe Infected: not-a-virus:AdWare.Win32.PurityScan.fn skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1324\A0112702.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1324\A0112703.exe Infected: not-a-virus:AdWare.Win32.PurityScan.fn skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1326\A0112770.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.Rond.b skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1326\A0112770.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1326\A0112770.exe/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1326\A0112770.exe NSIS: infected - 3 skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1331\A0112937.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1331\A0112938.exe Infected: not-a-virus:AdWare.Win32.PurityScan.fn skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1332\A0112977.exe Infected: not-a-virus:AdWare.Win32.Agent.br skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1339\A0113331.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1339\A0113331.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1339\A0113331.exe NSIS: infected - 2 skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1345\A0113592.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1345\A0113592.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1345\A0113592.exe NSIS: infected - 2 skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1346\A0113677.dll Infected: not-a-virus:AdWare.Win32.PurityScan.fs skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1350\A0114776.exe Object is locked skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1350\A0114777.DLL Object is locked skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1350\A0114778.DLL Object is locked skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1350\A0114779.DLL Object is locked skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1350\change.log Object is locked skipped

C:\WINDOWS\b104.exe/stream/data0002 Infected: Trojan-Downloader.Win32.Small.buy skipped

C:\WINDOWS\b104.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped

C:\WINDOWS\b104.exe/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped

C:\WINDOWS\b104.exe NSIS: infected - 3 skipped

C:\WINDOWS\b136.exe/stream/data0002 Infected: Trojan-Dropper.Win32.Agent.bfr skipped

C:\WINDOWS\b136.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped

C:\WINDOWS\b136.exe/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped

C:\WINDOWS\b136.exe NSIS: infected - 3 skipped

C:\WINDOWS\b138.exe Infected: Trojan-Downloader.Win32.Agent.cbx skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\Downloaded Program Files\popcaploader.dll Infected: not-a-virus:Downloader.Win32.PopCap.a skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\ACEEvent.evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk Object is locked skipped

C:\WINDOWS\SYSTEM32\DRIVERS\core.sys Object is locked skipped

C:\WINDOWS\SYSTEM32\fzrehi.dll Infected: not-a-virus:AdWare.Win32.PurityScan.fs skipped

C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\WIADEBUG.LOG Object is locked skipped

C:\WINDOWS\WIASERVC.LOG Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\WINDOWS\{00000002-00000000-00000002-00001102-00000004-10031102}.CDF Object is locked skipped

Scan process completed.

pskelley
2007-08-31, 15:04
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Thanks for the feedback, you are infected so let's start like this.

1) Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP, Update for Windows XP and Windows XP Hotfix to shorten the list)

2) Thanks to sUBs and anyone else who helped with this fix.

Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Thanks

ggclarke
2007-08-31, 15:46
Thank you so much for your help!

Here's the HJT uninstall list:

ABBYY FineReader 5.0 Sprint
Ad-Aware SE Personal
Adobe Acrobat Reader 3.0
Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player 9 ActiveX
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 7.0.8
Adventures in Typing
Age of Empires III
AIM 6
Amazing Animals
American Greetings® CreataCard® Silver 5
AOL Coach Version 1.0(Build:20020823.1)
AOL Uninstaller (Choose which Products to Remove)
Apple Software Update
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
AVG 7.5
Backyard Baseball 2003
Backyard Basketball 2004
Backyard Football 2002
Backyard Soccer 2004
Battlefield 1942
Blackhawk Striker
Blasterball 2
Boggle
Carmen Sandiego Jr. Edition
Civilization III
Classic Arcade 98
Command & Conquer Tiberian Sun
Conexant SmartHSFi V92 56K DF PCI Modem
Corel Painter Essentials 3
Creative MediaSource
DA920EN
Dell AIO Printer A920
Dell Picture Studio - Dell Image Expert
Dell Solution Center
DellConnect
DellSupport
DID's Total Air War
Digital Line Detect
DirectX Media Runtime 5.1
Dorling Kindersley Application Database v1.4
Droid Developer Kit
DVDSentry
Earth Quest
Earthlink Installer - uninstall 'Earthlink 5.0' entry first if present
Easy CD Creator 5 Basic
Eyewitness Encyclopedia of Nature 2.0
Eyewitness Encyclopedia of Science 2.0
Eyewitness History of the World 2.0
F22 Air Dominance Fighter
Fisher~Price® Ready For School
Google Earth
Google Toolbar for Internet Explorer
Greetings Workshop
GT Interactive - Driver
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Imaginext(TM) Pirate Raider
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet
InterActual Player
Internet Speed Monitor
iTunes
JumpStart 2nd Grade v1.0
JumpStart 3rd Grade v1.2
JumpStart 4th Grade v1.2
Jumpstart 5th Grade v1.0
Jumpstart 6th Grade v1.0
JumpStart First Grade v2.4
JumpStart Kindergarten Reading v1.0
JumpStart Kindergarten v2.4b
JumpStart Languages
JumpStart Music
Jumpstart Preschool v2.4
JumpStart Typing v1.1
Kaspersky Online Scanner
LEGO Chess
LEGO Creator
LEGO Island
LEGO Rock Raiders
LEGO Star Wars
Logitech Gaming Software
Lord of the Rings: The Fellowship of the Ring
LOTR The Return of the King tm
Magic School Bus - Animals
Magic School Bus - Earth
Math Blaster Ages 6-9
Math Blaster Ages 9-12
McAfee SecurityCenter
McAfee VirusScan Online
Men In Black II CROSSFIRE
Modem Helper
Monopoly Junior
MSN Music Assistant
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MUSICMATCH® Jukebox
My Amazing Human Body
NetWaiting
Now I'm Reading!
NVIDIA Drivers
Oregon Trail 3
Paint Shop Pro 7
Pinball Science
PowerDVD
Pure Pinball
Pyramid v1.0
QuickTime
RealOne Player
Roll
RollerCoaster Tycoon 2
SabreWing 2
Scholastic's The Magic School Bus ® Explores Bugs
Scrabble 2
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Shockwave
Sid Meier's Civil War Collection
Sierra On-Line Games (Remove only)
SimTown
SmartDraw 7 Trial Edition
Sound Blaster Audigy 2
Space Rocks
Spelling Blaster Ages 6-9
Spybot - Search & Destroy 1.4
Star Wars Battlefront
Star Wars®: Knights of the Old Republic (TM)
Stratego
SUPER © Version 2006.19 (FIX)
Talking Flash Cards
The American Girls Premiere
The Battle for Middle-earth (tm)
The Battle for Middle-earth (tm) II
The Fairly OddParents Demo
The Lord of the Rings, The Rise of the Witch-king
The Rosetta Stone
Time to Ride
Tony Hawk's Pro Skater 2
Typing Instructor Deluxe
Typing Instructor for Kids
USA Explorer
Viewpoint Media Player
Waterloo - Napoleon's Last Battle
Westwood Shared Internet Components
WildTangent Channel Manager
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 2
Yahoo! Toolbar


Combofix log to follow...

ggclarke
2007-08-31, 15:47
ComboFix 07-08-30.3 - "Gregory Clarke" 2007-08-31 8:26:15.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.145 [GMT -4:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\GREGOR~1\APPLIC~1\fnts~1
C:\DOCUME~1\GREGOR~1\APPLIC~1\WinTouch
C:\DOCUME~1\GREGOR~1\MYDOCU~1\stem~1
C:\DOCUME~1\GREGOR~1\STARTM~1\Programs\Outerinfo
C:\Program Files\Common Files\stem~1
C:\Program Files\Common Files\stem~1\s?anregw.exe
C:\Program Files\ISM
C:\Program Files\ISM\BndDrive.dll
C:\Program Files\ISM\BndDrive2.dll
C:\Program Files\ISM\bndloader.exe
C:\Program Files\ISM\dictionary.gz
C:\Program Files\ISM\ism.exe
C:\Program Files\ISM\ISMModule3.exe
C:\Program Files\ISM\syncupd.exe
C:\Program Files\ISM\targets.gz
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\Terms.rtf
C:\WINDOWS\b104.exe
C:\WINDOWS\b136.exe
C:\WINDOWS\b138.exe
C:\WINDOWS\scurit~1
C:\WINDOWS\system32\fzrehi.dll
C:\WINDOWS\system32\icroso~1.net
C:\WINDOWS\system32\mantec~1
C:\WINDOWS\system32\racle~1
C:\WINDOWS\system32\wtsit.exe
C:\WINDOWS\wnsxs~1


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\LEGACY_NETWORK_MONITOR
-------\cmdService


((((((((((((((((((((((((( Files Created from 2007-07-28 to 2007-08-31 )))))))))))))))))))))))))))))))


2007-08-31 08:24 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-29 00:27 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-28 23:44 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Real
2007-08-28 23:44 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Creative
2007-08-28 21:59 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-08-28 21:59 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-07-24 11:03 <DIR> d-------- C:\MBWINCD
2007-07-17 21:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-16 19:09 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Google
2007-07-16 17:29 <DIR> d--hs---- C:\WINDOWS\R3JlZ29yeSBDbGFya2U
2007-07-05 11:33 <DIR> d-------- C:\Program Files\AIM6


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-31 08:03 --------- d-------- C:\Program Files\Greetings Workshop
2007-08-29 16:57 952 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-08-28 14:33 44288 --a------ C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-08-08 16:50 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\dllcache\wups.dll
2007-07-05 11:33 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL Downloads
2007-06-26 11:13 851968 --------- C:\WINDOWS\system32\dllcache\vgx.dll
2007-06-26 10:09 658944 --------- C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-26 02:08 1104896 --------- C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-23 13:02 90112 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-06-19 09:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 09:31 282112 --------- C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-14 14:09 96256 --------- C:\WINDOWS\system32\dllcache\inseng.dll
2007-06-14 14:09 615424 --------- C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-14 14:09 55808 --------- C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-14 14:09 532480 --------- C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-14 14:09 474112 --------- C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-06-14 14:09 449024 --------- C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-14 14:09 39424 --------- C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-06-14 14:09 357888 --------- C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-06-14 14:09 3058688 --------- C:\WINDOWS\system32\dllcache\mshtml.dll
2007-06-14 14:09 251392 --------- C:\WINDOWS\system32\dllcache\iepeers.dll
2007-06-14 14:09 205312 --------- C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-06-14 14:09 16384 --------- C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-14 14:09 151040 --------- C:\WINDOWS\system32\dllcache\cdfview.dll
2007-06-14 14:09 1494528 --------- C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-06-14 14:09 146432 --------- C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-14 14:09 1054208 --------- C:\WINDOWS\system32\dllcache\danim.dll
2007-06-14 14:09 1023488 --------- C:\WINDOWS\system32\dllcache\browseui.dll
2007-06-14 10:07 18432 --------- C:\WINDOWS\system32\dllcache\iedw.exe
2007-06-13 06:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-06-13 06:23 1033216 --------- C:\WINDOWS\system32\dllcache\explorer.exe
2005-05-13 22:12:00 217,073 --sha-r C:\WINDOWS\meta4.exe
2005-10-24 16:13:58 66,560 --sha-r C:\WINDOWS\MOTA113.exe
2005-10-14 02:27:00 422,400 --sha-r C:\WINDOWS\x2.64.exe
2005-07-29 20:24:26 472 --sha-r C:\WINDOWS\R3JlZ29yeSBDbGFya2U\laL5tZ6Vym1Gv3IVuZo.vbs
2005-10-08 00:14:52 308,224 --sha-r C:\WINDOWS\SYSTEM32\avisynth.dll
2005-07-14 17:31:20 27,648 --sha-r C:\WINDOWS\SYSTEM32\AVSredirect.dll
2005-06-26 20:32:28 616,448 --sha-r C:\WINDOWS\SYSTEM32\cygwin1.dll
2005-06-22 03:37:42 45,568 --sha-r C:\WINDOWS\SYSTEM32\cygz.dll
2004-01-25 05:00:00 70,656 --sha-r C:\WINDOWS\SYSTEM32\i420vfw.dll
2006-04-27 15:24:24 2,945,024 --sha-r C:\WINDOWS\SYSTEM32\Smab.dll
2005-02-28 18:16:22 240,128 --sha-r C:\WINDOWS\SYSTEM32\x.264.exe
2004-01-25 05:00:00 70,656 --sha-r C:\WINDOWS\SYSTEM32\yv12vfw.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-08-14 19:22]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 10:18]
"CTDVDDet"="C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 02:00]
"CTHelper"="CTHELPER.EXE" [2003-02-20 17:45 C:\WINDOWS\SYSTEM32\CTHELPER.EXE]
"AsioReg"="REGSVR32.exe" [2004-08-04 03:56 C:\WINDOWS\SYSTEM32\regsvr32.exe]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2003-03-28 18:20]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2003-03-18 13:53]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2003-08-04 18:25]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2003-07-21 20:11]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 13:28]
"VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [2003-03-21 12:52]
"Dell AIO Printer A920"="C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-05-02 19:46]
"VSOCheckTask"="c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" [2003-03-21 12:50]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-16 08:21]
"DDCM"="C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" [2002-06-07 19:18]
"DDCActiveMenu"="C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" [2002-06-07 19:20]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2003-09-29 19:26]
"HostManager"="C:\Program Files\Common Files\AOL\1157496611\ee\AOLSoftware.exe" [2006-05-09 20:24]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 12:59]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 15:43]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-12 00:43]
"nwiz"="nwiz.exe" [2006-08-12 00:43 C:\WINDOWS\SYSTEM32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-12 00:43]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-08-30 09:27]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"SB Audigy 2 Startup Menu"="/L:ENG" []
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]
"Aim6"="C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" [2006-05-09 20:24]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-16 16:01]
"Khnha"="C:\WINDOWS\SYSTEM32\?racle\?hkntfs.exe" []
"Tlyocsfi"="C:\WINDOWS\W?nSxS\?hkntfs.exe" []
"Cieytvwv"="C:\Program Files\Common Files\??stem\s?anregw.exe" []
"ISMModule3"="C:\Program Files\ISM\ISMModule3.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\DOCUME~1\ADMINI~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 10:00:00]

C:\DOCUME~1\GREGOR~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 10:00:00]
Greetings Workshop Reminders.lnk - C:\Program Files\Greetings Workshop\GWREMIND.EXE [1997-09-04]
PowerReg Scheduler V3.exe [2003-12-20 16:03:58]

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 10:00:00]

R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\system32\drivers\pwd_2k.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\system32\drivers\WmBEnum.sys
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\system32\drivers\WmXlCore.sys
S3 cdiskdun;cdiskdun;\??\C:\DOCUME~1\GREGOR~1\LOCALS~1\Temp\cdiskdun.sys
S3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
S3 NaiFiltr;NaiFiltr;C:\WINDOWS\system32\DRIVERS\NaiFiltr.sys
S3 WmFilter;Logitech WingMan HID Filter Driver;C:\WINDOWS\system32\drivers\WmFilter.sys
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\system32\drivers\WmVirHid.sys


Contents of the 'Scheduled Tasks' folder
2007-08-25 12:33:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2007-08-31 12:31:01 C:\WINDOWS\Tasks\McAfee.com Update Check (DF9RK431-Carrie).job - C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
2007-08-31 12:33:16 C:\WINDOWS\Tasks\McAfee.com Update Check (DF9RK431-Gregory Clarke).job - C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
2007-08-31 12:33:00 C:\WINDOWS\Tasks\McAfee.com Update Check (DF9RK431-Owner).job - C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-31 08:32:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-31 8:35:47 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-31 08:35

--- E O F ---

ggclarke
2007-08-31, 15:50
Did you want a new HJT log, too? Here it is. Sorry if this was not needed.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:48:47 AM, on 8/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\AOL\1157496611\ee\aolsoftware.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\America Online 8.0\aoltray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Greetings Workshop\GWREMIND.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1157496611\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Khnha] C:\WINDOWS\SYSTEM32\?racle\?hkntfs.exe
O4 - HKCU\..\Run: [Tlyocsfi] C:\WINDOWS\W?nSxS\?hkntfs.exe
O4 - HKCU\..\Run: [Cieytvwv] "C:\Program Files\Common Files\??stem\s?anregw.exe"
O4 - HKCU\..\Run: [ISMModule3] "C:\Program Files\ISM\ISMModule3.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,15/mcgdmgr.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - file://E:\Bin\html\files\MotivePreQual.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v5.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 11284 bytes

pskelley
2007-08-31, 18:09
Thanks for returning your information, first some information for you:
C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe
http://www.castlecops.com/startuplist-859.html
http://www.liutilities.com/products/wintaskspro/processlibrary/ddcman/
Security Risk (0-5): 2
Spyware: Yes ( Free Spyware Scan )
I would not have it on my computer, I suggest uninstalling the junk.

You are running two antivirus programs at the same time and this is not a good thing. They conflict with each other and you will be less safe than if you ran one good program and maintained it properly.
http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000031316555206
"Microsoft recommends that you have only one anti-virus program installed on your computer."
http://www.washingtonpost.com/wp-dyn/content/article/2005/12/03/AR2005120300087.html
http://www.smartcomputing.com/editorial/article.asp?article=articles/2003/s1407/38s07/38s07.asp

C:\PROGRA~1\Grisoft\AVG7\
C:\PROGRA~1\mcafee.com\agent\
Uninstall one of those

You will have to let me know if this program is valid.
O4 - HKCU\..\Run: [ISMModule3] "C:\Program Files\ISM\ISMModule3.exe"


1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKCU\..\Run: [Khnha] C:\WINDOWS\SYSTEM32\?racle\?hkntfs.exe G
O4 - HKCU\..\Run: [Tlyocsfi] C:\WINDOWS\W?nSxS\?hkntfs.exe G
O4 - HKCU\..\Run: [Cieytvwv] "C:\Program Files\Common Files\??stem\s?anregw.exe"
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v5.cab

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) RIGHT Click on Start then click on Explore. Locate and delete these items:

(PurityScan junk, may be gone, just do not miss them)

C:\WINDOWS\SYSTEM32\?racle\ <<< delete the folder

C:\WINDOWS\W?nSxS\ <<< delete the folder

C:\Program Files\Common Files\??stem\ <<< delete the folder

5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Delete combofix and the C:\Qoobox\Quarantine\ folder from your computer and restart the computer so the changes can go into effect.

Follow these directions to run a new Kaspersky scan, no need to download again if you still have it:
Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here along with a new HJT log, expect Kaspersky to find a few because we still need to clean the System Restore files.

Thanks

ggclarke
2007-09-01, 01:30
Here's the new Kaspersky:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, August 31, 2007 6:25:41 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 1/09/2007
Kaspersky Anti-Virus database records: 376981
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 138729
Number of viruses found: 5
Number of infected objects: 20
Number of suspicious objects: 2
Duration of the scan process: 01:13:53

Infected Object Name / Virus Name / Last Action
C:\43.tmp/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\43.tmp NSIS: infected - 1 skipped
C:\D4.tmp/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\D4.tmp NSIS: infected - 1 skipped
C:\DC.tmp/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\DC.tmp NSIS: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\YazzleSudoku.zip/Yazzle1552OinUninstaller.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\YazzleSudoku.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\Gregory Clarke\Application Data\GTek\GTUpdate\AUpdate\DellSupport\DSAgnt.log Object is locked skipped
C:\Documents and Settings\Gregory Clarke\Application Data\GTek\GTUpdate\AUpdate\DellSupport\DSAgnt_GTActions.log Object is locked skipped
C:\Documents and Settings\Gregory Clarke\Application Data\GTek\GTUpdate\AUpdate\DellSupport\gdql_d_DSAgnt.log Object is locked skipped
C:\Documents and Settings\Gregory Clarke\Application Data\GTek\GTUpdate\AUpdate\DellSupport\glog.log Object is locked skipped
C:\Documents and Settings\Gregory Clarke\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Gregory Clarke\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
C:\Documents and Settings\Gregory Clarke\Local Settings\Application Data\ApplicationHistory\cli.exe.c88dbd71.ini.inuse Object is locked skipped
C:\Documents and Settings\Gregory Clarke\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Gregory Clarke\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Gregory Clarke\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Gregory Clarke\Local Settings\History\History.IE5\MSHist012007083120070901\index.dat Object is locked skipped
C:\Documents and Settings\Gregory Clarke\Local Settings\Temp\Perflib_Perfdata_a08.dat Object is locked skipped
C:\Documents and Settings\Gregory Clarke\Local Settings\Temp\Perflib_Perfdata_a10.dat Object is locked skipped
C:\Documents and Settings\Gregory Clarke\Local Settings\Temp\Perflib_Perfdata_a3c.dat Object is locked skipped
C:\Documents and Settings\Gregory Clarke\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Gregory Clarke\ntuser.dat Object is locked skipped
C:\Documents and Settings\Gregory Clarke\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\RECYCLER\S-1-5-21-934105077-2959155405-801402048-1007\Dc1\C\WINDOWS\b104.exe.vir/stream/data0002 Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\RECYCLER\S-1-5-21-934105077-2959155405-801402048-1007\Dc1\C\WINDOWS\b104.exe.vir/stream Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\RECYCLER\S-1-5-21-934105077-2959155405-801402048-1007\Dc1\C\WINDOWS\b104.exe.vir NSIS: infected - 2 skipped
C:\RECYCLER\S-1-5-21-934105077-2959155405-801402048-1007\Dc1\C\WINDOWS\b136.exe.vir/stream/data0002 Infected: Trojan-Dropper.Win32.Agent.bfr skipped
C:\RECYCLER\S-1-5-21-934105077-2959155405-801402048-1007\Dc1\C\WINDOWS\b136.exe.vir/stream Infected: Trojan-Dropper.Win32.Agent.bfr skipped
C:\RECYCLER\S-1-5-21-934105077-2959155405-801402048-1007\Dc1\C\WINDOWS\b136.exe.vir NSIS: infected - 2 skipped
C:\RECYCLER\S-1-5-21-934105077-2959155405-801402048-1007\Dc1\C\WINDOWS\b138.exe.vir Infected: Trojan-Downloader.Win32.Agent.cbx skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1350\A0114776.exe Object is locked skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1350\A0114777.DLL Object is locked skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1350\A0114778.DLL Object is locked skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1350\A0114779.DLL Object is locked skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1350\A0114800.sys Object is locked skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1353\A0114969.exe/stream/data0002 Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1353\A0114969.exe/stream Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1353\A0114969.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1353\A0114970.exe/stream/data0002 Infected: Trojan-Dropper.Win32.Agent.bfr skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1353\A0114970.exe/stream Infected: Trojan-Dropper.Win32.Agent.bfr skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1353\A0114970.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1353\A0114971.exe Infected: Trojan-Downloader.Win32.Agent.cbx skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1353\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{8B89ADEE-3AC2-4AAA-8E7D-0AB7EECD6417}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\ACEEvent.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\{00000002-00000000-00000002-00001102-00000004-10031102}.CDF Object is locked skipped

Scan process completed.

ggclarke
2007-09-01, 01:33
...and the new HJT.

FYI: I couldn't find the folders you mentioned in step 4 of your last post, so I assume they are gone.

Thanks!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:27:18 PM, on 8/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\AOL\1157496611\ee\aolsoftware.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\America Online 8.0\aoltray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Greetings Workshop\GWREMIND.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1157496611\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,15/mcgdmgr.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - file://E:\Bin\html\files\MotivePreQual.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 10126 bytes

pskelley
2007-09-01, 02:22
Thanks for returning your information, PurityScan is putting their junk in strange places, probably why combofix is not finding this stuff, we will delete them manually.

Would you scan this file: O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
I believe it is: http://www.liutilities.com/products/wintaskspro/processlibrary/cthelper/

cthelper.exe is installed with Creative Labs Soundblaster Devices
But my scanner is calling it a trojan: http://www.castlecops.com/startuplist-8222.html
and I want to be 100% positive it is valid.

Make sure all files and folders are enabled:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
search for the location and then scan with one or more of these free scanners:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/
You may also right click and choose properties and look to see if you can be sure it deals with SoundBlaster/Creative Labs.

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:27:18 PM, on 8/31/2007

(this is a microsoft money leftover you can remove with HJT if you wish)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)


KASPERSKY ONLINE SCANNER REPORT Friday, August 31, 2007 6:25:41 PM

C:\43.tmp <<< delete
C:\D4.tmp <<< delete
C:\DC.tmp <<< delete

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\
Open Spybot S&D and click the white cae with the red X and delete the contents.

C:\RECYCLER\ <<< right click on the Recycle Bin on the Desktop then choose Empty Recycle Bin, then yes.
anytime you delete bad items, empty the Bin.

The rest are infected files in System Restore, first restart the computer, then do this:

System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

A new Kaspersky scan, if you followed the directions, should be clean. I do not need to see a clean scan report.

Thanks

ggclarke
2007-09-01, 05:20
The CTHELPER.EXE checked out OK.

The Kaspersky report came back clean!

Many, many thanks, pskelly!!

pskelley
2007-09-01, 14:16
:bigthumb:
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

pskelley
2007-09-04, 13:39
As the problem appears to be resolved this topic has been closed.

If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

Anyone else with similar problems please start a new topic.

Thanks