PDA

View Full Version : Another Virtumonde



PhilX
2008-01-04, 15:34
I hope I am correct to post a new thread for this. I am posting from another PC.

SB S&D reports Virtumonde infection, also Windows Defender reported Browser Modifier: Win32/Fotomoto (attempted to remove, said successful but keeps coming back).

Let SB S&D fix the problems and rebooted, still some Virtumonde left, disconnected from internet, rebooted, another SB S&D scan and fix, reboot, SB S&D scan still shows 3 items.

I can identify the times of the infections (I think) by looking at recently created files in Window\system32 and have searched for registry entries as follows...

Search for pfcfbrxt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Name=0c377ca9


Search for obhstkxv.dll
HKEY_CLASSES_ROOT\CLSID\{1a08aa9e-3225-4560-b03b-fe4085ae0052}\InprocServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1a08aa9e-3225-4560-b03b-fe4085ae0052}\I

nprocServer32

Search for above key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1A08AA9E-32

25-4560-B03B-FE4085AE0052}\iexplore

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser

Helper Objects\{1a08aa9e-3225-4560-b03b-fe4085ae0052}

HKEY_USERS\S-1-5-21-3987327456-2122932760-77203996-1006\Software\Microsoft\Windows

\CurrentVersion\Ext\Stats\{1A08AA9E-3225-4560-B03B-FE4085AE0052}\iexplore

Search for rqronki.dll = not found

Search for gebxwxv.dll = not found

Search for txrbfcfp.ini = not found

Search for WLTRAY .exe (name only)

HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache
...C:\WINDOWS\system32\WLTRAY.exe
says is Dell Wireless WLAN Card Wireless Network Tray Applet

Earlier files (sony ericson?)

SYSTEM32...
usnserv.exe
byxxust.dll
ssqrq.dll
qrqss.ini
qrqss.ini2
ssqrq.exe

Would it be a valid approach to delete these registry entries and files? (I'm not intending to do anything yet).

This is the start of SB S&D scan log...

--- Search result list ---
Virtumonde: User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-3987327456-2122932760-77203996-1006\Software\Microsoft\rdfa

Virtumonde: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws

Virtumonde: Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-3987327456-2122932760-77203996-1006\Software\Microsoft\aldd

I have the infected PC disconnected from the internet now so no Kaspersky online scanner.

I hope you will be able to help, Thanks
Phil

Hijackthis log (after SB S&D removals and uninstall of some other s/w).

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:01:20, on 04/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched .exe
C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
C:\Program Files\Dell\QuickSet\quickset .exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Dell\E-Center\EULALauncher.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\usnserv.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe
C:\WINDOWS\system32\WLTRAY .exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.exe
C:\Dell\E-Center\EULALauncher .exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc .exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.BIN
C:\Program Files\Dell Support Center\bin\sprtcmd .exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv .exe
C:\Program Files\Windows Defender\MSASCui .exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://partnerpage.google.com/smallbiz.dell.com/en_uk?hl=en&client=dell-usuk&channel=uk-smb&ibd=1071219
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://partnerpage.google.com/smallbiz.dell.com/en_uk?hl=en&client=dell-usuk&channel=uk-smb&ibd=1071219
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/root/MyAccount.asp?affid=105-256&dtag=D5B4C3J&langid=
F3 - REG:win.ini: load=C:\WINDOWS\system32\ssqrq.exe
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset .exe .exe .exe .exe .exe .exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Userfile Sharing Server] usnserv.exe
O4 - HKLM\..\Run: [0c377ca9] rundll32.exe "C:\WINDOWS\system32\pfcfbrxt.dll",b
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.1.lnk = C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?769d74ff525b4fa5b59a103963f7943b
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?769d74ff525b4fa5b59a103963f7943b
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1198543405921
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7085 bytes

Shaba
2008-01-05, 12:18
Hi PhilX and welcome to Safer Networking Forums :)

Rename HijackThis.exe to PhilX.exe and post back a fresh HijackThis log, please.

PhilX
2008-01-06, 20:24
Sorry for taking so long to reply, I was expecting an email when the thread was posted too and so was not checking regularly.

Renamed hijackthis.exe as PhilX.exe and ran again, new log follows.

Also as further info I forgot to mention, when logging in I got a pop-up...

RUNDLL
Error loading C:\windows\system32zssqrq.dll
No such interface supported

Three times

I didn't get them when I started up this time though.

Thanks for your time,

Phil

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:10:58, on 06/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched .exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Dell\E-Center\EULALauncher.exe
C:\WINDOWS\system32\WLTRAY .exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv .exe
C:\Program Files\Dell\QuickSet\quickset .exe
C:\WINDOWS\system32\usnserv.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc .exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Dell\E-Center\EULALauncher .exe
C:\Program Files\Dell Support Center\bin\sprtcmd .exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Windows Defender\MSASCui .exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.BIN
C:\Program Files\Dell\QuickSet\quickset .exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\PhilX.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://partnerpage.google.com/smallbiz.dell.com/en_uk?hl=en&client=dell-usuk&channel=uk-smb&ibd=1071219
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://partnerpage.google.com/smallbiz.dell.com/en_uk?hl=en&client=dell-usuk&channel=uk-smb&ibd=1071219
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/root/MyAccount.asp?affid=105-256&dtag=D5B4C3J&langid=
F3 - REG:win.ini: load=C:\WINDOWS\system32\ssqrq.exe
O2 - BHO: {2500ea58-04ef-b30b-0654-5223e9aa80a1} - {1a08aa9e-3225-4560-b03b-fe4085ae0052} - C:\WINDOWS\system32\obhstkxv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6F2B8E88-0A87-4E7C-BC8C-C92CC4F2839B} - C:\WINDOWS\system32\ssqrq.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: (no name) - {E1E1D3A0-66EA-46D2-BBCF-43730668E1EB} - C:\WINDOWS\system32\byxxust.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Userfile Sharing Server] usnserv.exe
O4 - HKLM\..\Run: [0c377ca9] rundll32.exe "C:\WINDOWS\system32\pfcfbrxt.dll",b
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.1.lnk = C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?769d74ff525b4fa5b59a103963f7943b
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?769d74ff525b4fa5b59a103963f7943b
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1198543405921
O20 - Winlogon Notify: byxxust - C:\WINDOWS\SYSTEM32\byxxust.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8232 bytes

Shaba
2008-01-06, 20:31
Hi

You seem to have a file-infecting vundo so we won't install yet antivirus.

1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Post:

- a fresh HijackThis log
- combofix report

PhilX
2008-01-06, 21:16
Hi Shaba

As already mentioned the infected PC is not connected to the internet, I am transferring via a data stick, I downloaded ComboFix to this PC and copied it onto the desktop of the infected PC, is this OK (not downloaded directly to desktop as instructed)?

The 2 logs follow.

After ComboFix rebooted PC and continued (title = Find3M) I got repeated error pop-ups while before it completed from RUNDLL, first = the ssqrq.dll already mentioned, the rest are "error loading the specified module could not be found", these kept coming while I ran hijackthis again.

Also there is a system tray icon for java update saying a new version of java is ready to install.

ComboFix 08-01-04.1 - Xanthe 2008-01-06 18:48:32.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.483 [GMT 0:00]
Running from: C:\Documents and Settings\Xanthe\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\dell\E-Center\EULALauncher.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe
C:\Program Files\Dell\QuickSet\quickset .exe
C:\Program Files\Dell\QuickSet\quickset .exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\byxxust.dll
C:\WINDOWS\system32\gebxwxv.dll
C:\WINDOWS\system32\obhstkxv.dll
C:\WINDOWS\system32\pfcfbrxt.dll
C:\WINDOWS\system32\qrqss.ini
C:\WINDOWS\system32\qrqss.ini2
C:\WINDOWS\system32\rqronki.dll
C:\WINDOWS\system32\ssqrq.dll
C:\WINDOWS\system32\ssqrq.exe
C:\WINDOWS\system32\txrbfcfp.ini
C:\WINDOWS\system32\WLTRAY.exe


<pre>
"C:\dell\E-Center\EULALauncher .exe" replaces infected copy of "C:\dell\E-Center\EULALauncher.exe"
"C:\Program Files\ATI Technologies\ATI.ACE\CLIStart .exe" replaces infected copy of "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
"C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe" replaces infected copy of "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe"
"C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe" replaces infected copy of "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe"
"C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv .exe" replaces infected copy of "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
"C:\Program Files\Dell Support Center\bin\sprtcmd .exe" replaces infected copy of "C:\Program Files\Dell Support Center\bin\sprtcmd.exe"
"C:\Program Files\Dell Support Center\gs_agent\custom\dsca .exe" replaces infected copy of "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
"C:\Program Files\Java\jre1.5.0_07\bin\jusched .exe" replaces infected copy of "C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe"
"C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc .exe" replaces infected copy of "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
"C:\Program Files\Synaptics\SynTP\SynTPEnh .exe" replaces infected copy of "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
"C:\Program Files\Windows Defender\MSASCui .exe" replaces infected copy of "C:\Program Files\Windows Defender\MSASCui.exe"
"C:\WINDOWS\system32\WLTRAY .exe" replaces infected copy of "C:\WINDOWS\system32\WLTRAY.exe"
</pre>
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2007-12-06 to 2008-01-06 )))))))))))))))))))))))))))))))
.

2008-01-06 18:46 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-05 17:53 . 2007-12-19 02:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InstallShield
2008-01-05 17:53 . 2007-12-19 02:15 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ATI
2008-01-04 13:00 . 2008-01-04 13:00 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-04 01:45 . 2008-01-04 01:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-03 02:25 . 2008-01-03 00:52 72,704 -rahs---- C:\WINDOWS\system32\usnserv.exe
2007-12-30 14:26 . 2007-12-30 14:26 <DIR> d-------- C:\Documents and Settings\Xanthe\Application Data\Leadertech
2007-12-30 14:08 . 2007-12-30 14:08 <DIR> d-------- C:\Documents and Settings\Xanthe\Application Data\AdobeUM
2007-12-30 14:08 . 2007-12-30 14:08 <DIR> d-------- C:\Documents and Settings\Xanthe\Application Data\AdobeAUM
2007-12-30 14:05 . 2007-12-30 14:06 <DIR> d-------- C:\Documents and Settings\Xanthe\Application Data\Teleca
2007-12-30 14:04 . 2007-12-30 14:04 <DIR> d-------- C:\Program Files\Sony Ericsson
2007-12-30 14:04 . 2008-01-04 12:56 <DIR> d-------- C:\Program Files\Common Files\Teleca Shared
2007-12-30 14:02 . 2007-12-30 14:02 6,144 --a------ C:\WINDOWS\system32\drivers\k750cm.sys
2007-12-30 14:02 . 2007-12-30 14:02 5,744 --a------ C:\WINDOWS\system32\drivers\k750wh.sys
2007-12-30 14:01 . 2007-12-30 14:02 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-30 14:01 . 2007-12-30 14:02 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-26 20:53 . 2007-12-26 20:53 <DIR> d-------- C:\Program Files\Windows Live Favorites
2007-12-26 20:14 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-12-26 20:14 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2007-12-26 20:14 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2007-12-26 01:29 . 2008-01-06 18:55 <DIR> d-------- C:\MDT
2007-12-26 01:28 . 2007-12-26 01:28 <DIR> d-------- C:\Documents and Settings\Xanthe\Application Data\CyberLink
2007-12-26 01:28 . 2007-12-26 01:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2007-12-25 20:55 . 2007-12-25 20:55 268 --ah----- C:\sqmdata01.sqm
2007-12-25 20:55 . 2007-12-25 20:55 244 --ah----- C:\sqmnoopt01.sqm
2007-12-25 20:53 . 2007-12-25 20:53 268 --ah----- C:\sqmdata00.sqm
2007-12-25 20:53 . 2007-12-25 20:53 244 --ah----- C:\sqmnoopt00.sqm
2007-12-25 20:36 . 2008-01-06 18:54 <DIR> d-------- C:\Program Files\Windows Defender
2007-12-25 20:31 . 2007-12-25 20:31 <DIR> d-------- C:\Program Files\IZArc
2007-12-25 18:20 . 2007-12-25 18:20 <DIR> d-------- C:\Documents and Settings\Xanthe\Contacts
2007-12-25 17:54 . 2007-12-26 20:53 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2007-12-25 17:54 . 2007-12-25 17:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Windows Live Toolbar
2007-12-25 17:53 . 2007-12-30 14:04 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-12-25 17:53 . 2007-12-25 17:53 <DIR> d-------- C:\Program Files\MSN Messenger
2007-12-25 08:38 . 2008-01-06 18:55 <DIR> d-------- C:\Documents and Settings\Xanthe\Application Data\OpenOffice.org2
2007-12-25 08:37 . 2007-12-25 08:37 <DIR> d-------- C:\Program Files\OpenOffice.org 2.1
2007-12-25 08:14 . 2007-12-25 08:14 <DIR> d-------- C:\Documents and Settings\Xanthe\Application Data\MSNInstaller
2007-12-25 01:07 . 2007-12-25 01:07 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-12-25 01:00 . 2007-07-09 13:09 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-12-25 00:42 . 2007-12-25 00:42 <DIR> d---s---- C:\Documents and Settings\Xanthe\UserData
2007-12-25 00:39 . 2004-08-03 23:08 26,496 --a------ C:\WINDOWS\system32\dllcache\usbstor.sys
2007-12-25 00:38 . 2007-12-25 00:38 4,128 --a------ C:\INFCACHE.1
2007-12-25 00:08 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-12-25 00:08 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\dllcache\mouhid.sys
2007-12-25 00:08 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-12-25 00:08 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\dllcache\hidusb.sys
2007-12-25 00:07 . 2007-12-25 00:07 <DIR> d-------- C:\Documents and Settings\Xanthe\Application Data\Dell
2007-12-25 00:06 . 2007-12-19 02:04 <DIR> d-------- C:\Documents and Settings\Xanthe\Application Data\InstallShield
2007-12-25 00:06 . 2007-12-19 02:15 <DIR> d-------- C:\Documents and Settings\Xanthe\Application Data\ATI
2007-12-25 00:03 . 2007-12-25 00:03 8,192 --a------ C:\WINDOWS\REGLOCS.OLD
2007-12-19 02:15 . 2007-12-19 02:15 61 --a------ C:\WINDOWS\smscfg.ini
2007-12-19 02:12 . 2007-12-19 02:12 <DIR> d-------- C:\Program Files\Microsoft Works
2007-12-19 02:12 . 2007-12-19 02:12 <DIR> d-------- C:\Program Files\Dell Support Center
2007-12-19 02:12 . 2007-12-19 02:12 <DIR> d-------- C:\Program Files\Common Files\supportsoft
2007-12-19 02:12 . 2007-12-19 02:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SupportSoft
2007-12-19 02:08 . 2007-12-25 00:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-12-19 02:07 . 2007-12-19 02:08 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-12-19 02:07 . 2007-12-19 02:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Dell
2007-12-19 02:06 . 2007-12-19 02:06 <DIR> d-------- C:\Program Files\Roxio
2007-12-19 02:06 . 2007-12-19 02:06 <DIR> d-------- C:\Program Files\CyberLink
2007-12-19 02:06 . 2007-12-19 02:06 <DIR> d-------- C:\Program Files\Common Files\SureThing Shared
2007-12-19 02:06 . 2007-12-19 02:06 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared
2007-12-19 02:06 . 2007-12-19 02:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sonic
2007-12-19 02:06 . 2007-12-19 02:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2007-12-19 02:05 . 2007-12-19 02:05 <DIR> d-------- C:\Program Files\NetWaiting
2007-12-19 02:05 . 2007-12-19 02:05 <DIR> d-------- C:\Program Files\Modem Diagnostic Tool
2007-12-19 02:05 . 2007-12-19 02:05 <DIR> d-------- C:\Program Files\Digital Line Detect
2007-12-19 02:05 . 2007-12-19 02:06 <DIR> d-------- C:\Program Files\Common Files\Roxio Shared
2007-12-19 02:05 . 2007-12-19 02:05 <DIR> d-------- C:\Program Files\ATI Technologies
2007-12-19 02:04 . 2007-12-19 02:04 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2007-12-19 02:04 . 2007-12-19 02:06 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2007-12-19 02:04 . 2007-12-19 02:07 <DIR> d-------- C:\Program Files\Dell
2007-12-19 02:04 . 2007-12-19 02:06 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2007-12-19 02:04 . 2007-12-19 02:04 <DIR> d-------- C:\Program Files\Broadcom
2007-12-19 02:03 . 2007-12-19 02:03 <DIR> d-------- C:\Program Files\Sigmatel
2007-12-19 02:03 . 2007-04-23 21:01 4,939,776 --a------ C:\WINDOWS\system32\stacgui.cpl
2007-12-19 02:03 . 2007-04-23 21:01 1,601,536 --a------ C:\WINDOWS\system32\stlang.dll
2007-12-19 02:03 . 2007-04-23 21:01 303,104 --a------ C:\WINDOWS\stsystra.exe
2007-12-19 02:03 . 2004-08-03 22:58 5,376 --a------ C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2007-12-19 02:03 . 2004-08-03 22:58 5,376 --a------ C:\WINDOWS\system32\dllcache\mspclock.sys
2007-12-19 02:02 . 2007-12-19 02:02 <DIR> d-------- C:\Program Files\CONEXANT
2007-12-19 02:02 . 2004-08-04 00:56 130,048 --a------ C:\WINDOWS\system32\ksproxy.ax
2007-12-19 02:02 . 2004-08-04 00:56 130,048 --a------ C:\WINDOWS\system32\dllcache\ksproxy.ax
2007-12-19 02:02 . 2004-08-03 23:08 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2007-12-19 02:02 . 2004-08-03 23:08 60,288 --a------ C:\WINDOWS\system32\dllcache\drmk.sys
2007-12-19 02:02 . 2004-08-04 00:56 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2007-12-19 02:02 . 2004-08-04 00:56 4,096 --a------ C:\WINDOWS\system32\dllcache\ksuser.dll
2007-12-19 02:01 . 2004-08-04 05:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-12-19 02:01 . 2006-03-17 00:38 28,672 --a------ C:\WINDOWS\system32\verclsid.exe
2007-12-19 02:01 . 2005-06-28 10:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-12-19 01:59 . 2007-12-25 08:36 <DIR> d-------- C:\Program Files\Java
2007-12-19 01:59 . 2007-12-19 01:59 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-19 01:59 . 2006-05-03 02:56 49,265 --a------ C:\WINDOWS\system32\jpicpl32.cpl
2007-12-19 01:57 . 2007-12-19 01:57 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-12-19 01:57 . 2007-06-13 10:23 1,033,216 --------- C:\WINDOWS\system32\dllcache\explorer.exe
2007-12-19 01:57 . 2007-05-17 11:28 549,376 --------- C:\WINDOWS\system32\dllcache\oleaut32.dll
2007-12-19 01:57 . 2007-05-30 10:47 81,664 --------- C:\WINDOWS\system32\dllcache\videoprt.sys
2007-12-19 01:57 . 2007-05-03 10:27 78,720 --------- C:\WINDOWS\system32\dllcache\sdbus.sys
2007-12-19 01:57 . 2007-05-03 10:03 12,032 --------- C:\WINDOWS\system32\dllcache\sffdisk.sys
2007-12-19 01:57 . 2007-05-03 10:03 11,008 --------- C:\WINDOWS\system32\dllcache\sffp_sd.sys

.

PhilX
2008-01-06, 21:17
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-06 18:55 344,576 ----a-w C:\WINDOWS\system32\ssqrq.dll
2008-01-06 18:44 1,392,640 ----a-w C:\WINDOWS\system32\WLTRAY.exe
2007-11-14 07:26 450,560 ------w C:\WINDOWS\system32\dllcache\jscript.dll
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-30 09:55 3,065,856 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-27 17:39 230,912 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 17:39 230,912 ------w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-27 17:37 2,109,440 ------w C:\WINDOWS\system32\dllcache\wmvcore.dll
2007-10-16 14:16 90,112 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2007-10-16 14:16 6,684,672 ----a-w C:\WINDOWS\system32\atioglx1.dll
2007-10-16 14:16 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2007-10-16 14:16 5,148,672 ----a-w C:\WINDOWS\system32\atioglxx.dll
2007-10-16 14:16 430,080 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2007-10-16 14:16 41,984 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2007-10-16 14:16 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2007-10-16 14:16 303,104 ----a-w C:\WINDOWS\system32\ATIDEMGR.dll
2007-10-16 14:16 294,912 ----a-w C:\WINDOWS\system32\dllcache\ati2cqag.dll
2007-10-16 14:16 294,912 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2007-10-16 14:16 260,608 ----a-w C:\WINDOWS\system32\dllcache\ati2dvag.dll
2007-10-16 14:16 260,608 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2007-10-16 14:16 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2007-10-16 14:16 24,064 ----a-w C:\WINDOWS\system32\ativcoxx.dll
2007-10-16 14:16 221,184 ----a-w C:\WINDOWS\system32\atikvmag.dll
2007-10-16 14:16 2,518,336 ----a-w C:\WINDOWS\system32\dllcache\ati3duag.dll
2007-10-16 14:16 2,518,336 ----a-w C:\WINDOWS\system32\ati3duag.dll
2007-10-16 14:16 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2007-10-16 14:16 118,784 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2007-10-16 14:16 106,496 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2007-10-16 14:16 1,777,152 ----a-w C:\WINDOWS\system32\dllcache\ati2mtag.sys
2007-10-16 14:16 1,092,960 ----a-w C:\WINDOWS\system32\dllcache\ativvaxx.dll
2007-10-16 14:16 1,092,960 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2007-10-11 05:57 96,256 ------w C:\WINDOWS\system32\dllcache\inseng.dll
2007-10-11 05:57 666,112 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-11 05:57 617,984 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-11 05:57 55,808 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-11 05:57 532,480 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-11 05:57 474,112 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-10-11 05:57 449,024 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-11 05:57 39,424 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-10-11 05:57 357,888 ------w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-10-11 05:57 251,904 ------w C:\WINDOWS\system32\dllcache\iepeers.dll
2007-10-11 05:57 205,824 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-11 05:57 16,384 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-11 05:57 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-10-11 05:57 146,432 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-11 05:57 1,498,112 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-10-11 05:57 1,054,208 ------w C:\WINDOWS\system32\dllcache\danim.dll
2007-10-11 05:57 1,024,000 ------w C:\WINDOWS\system32\dllcache\browseui.dll
2007-10-10 10:48 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
.

<pre>
----a-w 57,344 2008-01-04 12:54:12 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy .exe
----a-w 40,048 2008-01-04 00:36:27 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w 1,259,520 2008-01-06 18:55:52 C:\Program Files\Dell\QuickSet\quickset .exe
----a-w 159,744 2008-01-04 12:51:08 C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2008-01-06 18:55 551936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-06 18:55 1231872]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe" [2008-01-06 18:55 41472]
"SigmatelSysTrayApp"="stsystra.exe" [2007-04-23 21:01 303104 C:\WINDOWS\stsystra.exe]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2008-01-06 18:55 1757184]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset .exe" [2008-01-06 18:55 1259520]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2008-01-06 18:55 141824]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2008-01-06 18:55 251392]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2008-01-06 18:55 88064]
"RoxioDragToDisc"="C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2008-01-06 18:56 1180160]
"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-01-06 18:56 144384]
"ECenter"="C:\Dell\E-Center\EULALauncher.exe" [2008-01-06 18:56 23552]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-01-06 18:56 22016]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2008-01-06 18:56 897024]
"Userfile Sharing Server"="usnserv.exe" [2008-01-03 00:52 72704 C:\WINDOWS\system32\usnserv.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 05:00 15360]

C:\Documents and Settings\Xanthe\Start Menu\Programs\Startup\
OpenOffice.org 2.1.lnk - C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe [2006-11-27 16:45:48]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\\WINDOWS\\system32\\ssqrq

R0 atiide;atiide;C:\WINDOWS\system32\DRIVERS\atiide.sys [2007-05-23 14:07]
R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-11 10:35]
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe /service []

.
Contents of the 'Scheduled Tasks' folder
"2008-01-05 16:08:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-01-06 18:47:08 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-06 18:55:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\qrqss.ini 391 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\ssqrq.dll
.
Completion time: 2008-01-06 18:57:31 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-06 18:57:16
.
2008-01-03 23:50:35 --- E O F ---

PhilX
2008-01-06, 21:18
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:00:08, on 06/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Dell\E-Center\EULALauncher.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\usnserv.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Dell\QuickSet\quickset .exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.BIN
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\PhilX.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://partnerpage.google.com/smallbiz.dell.com/en_uk?hl=en&client=dell-usuk&channel=uk-smb&ibd=1071219
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/root/MyAccount.asp?affid=105-256&dtag=D5B4C3J&langid=
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Userfile Sharing Server] usnserv.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.1.lnk = C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?769d74ff525b4fa5b59a103963f7943b
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?769d74ff525b4fa5b59a103963f7943b
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1198543405921
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 6683 bytes

Shaba
2008-01-07, 11:53
Hi

Yes, that is fine :)

It's very good to keep that computer offline while you're infected.

Open notepad and copy/paste the text in the quotebox below into it:


Rootkit::
C:\WINDOWS\system32\qrqss.ini

RenV::
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy .exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
C:\Program Files\Dell\QuickSet\quickset .exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher .exe

File::
C:\WINDOWS\system32\ssqrq.dll
C:\WINDOWS\system32\usnserv.exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Userfile Sharing Server"=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00



Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://img.photobucket.com/albums/v666/sUBs/CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

PhilX
2008-01-07, 13:00
Hi Shaba

Here are the requested logs.

Thanks

Phil

Combofix log part 1

ComboFix 08-01-04.1 - Xanthe 2008-01-07 10:42:02.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.508 [GMT 0:00]
Running from: C:\Documents and Settings\Xanthe\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Xanthe\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\ssqrq.dll
C:\WINDOWS\system32\usnserv.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\dell\E-Center\EULALauncher.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe
C:\Program Files\Dell\QuickSet\quickset .exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\qrqss.ini
C:\WINDOWS\system32\qrqss.ini2
C:\WINDOWS\system32\ssqrq.dll
C:\WINDOWS\system32\ssqrq.exe
C:\WINDOWS\system32\usnserv.exe
C:\WINDOWS\system32\WLTRAY.exe


<pre>
"C:\dell\E-Center\EULALauncher .exe" replaces infected copy of "C:\dell\E-Center\EULALauncher.exe"
"C:\Program Files\ATI Technologies\ATI.ACE\CLIStart .exe" replaces infected copy of "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
"C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe" replaces infected copy of "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe"
"C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe" replaces infected copy of "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe"
"C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv .exe" replaces infected copy of "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
"C:\Program Files\Dell Support Center\bin\sprtcmd .exe" replaces infected copy of "C:\Program Files\Dell Support Center\bin\sprtcmd.exe"
"C:\Program Files\Dell Support Center\gs_agent\custom\dsca .exe" replaces infected copy of "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
"C:\Program Files\Java\jre1.5.0_07\bin\jusched .exe" replaces infected copy of "C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe"
"C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc .exe" replaces infected copy of "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
"C:\Program Files\Synaptics\SynTP\SynTPEnh .exe" replaces infected copy of "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
"C:\Program Files\Windows Defender\MSASCui .exe" replaces infected copy of "C:\Program Files\Windows Defender\MSASCui.exe"
"C:\WINDOWS\system32\WLTRAY .exe" replaces infected copy of "C:\WINDOWS\system32\WLTRAY.exe"
</pre>
.
.
((((((((((((((((((((((((( Files Created from 2007-12-07 to 2008-01-07 )))))))))))))))))))))))))))))))
.

2008-01-07 10:38 . 2008-01-07 10:45 2,101,760 --a------ C:\WINDOWS\system32\WLTRAY.exe
2008-01-06 18:46 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-05 17:53 . 2007-12-19 02:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InstallShield
2008-01-05 17:53 . 2007-12-19 02:15 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ATI
2008-01-04 13:00 . 2008-01-04 13:00 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-04 01:45 . 2008-01-04 01:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-30 14:26 . 2007-12-30 14:26 <DIR> d-------- C:\Documents and Settings\Xanthe\Application Data\Leadertech
2007-12-30 14:08 . 2007-12-30 14:08 <DIR> d-------- C:\Documents and Settings\Xanthe\Application Data\AdobeUM
2007-12-30 14:08 . 2007-12-30 14:08 <DIR> d-------- C:\Documents and Settings\Xanthe\Application Data\AdobeAUM
2007-12-30 14:05 . 2007-12-30 14:06 <DIR> d-------- C:\Documents and Settings\Xanthe\Application Data\Teleca
2007-12-30 14:04 . 2007-12-30 14:04 <DIR> d-------- C:\Program Files\Sony Ericsson
2007-12-30 14:04 . 2008-01-04 12:56 <DIR> d-------- C:\Program Files\Common Files\Teleca Shared
2007-12-30 14:02 . 2007-12-30 14:02 6,144 --a------ C:\WINDOWS\system32\drivers\k750cm.sys
2007-12-30 14:02 . 2007-12-30 14:02 5,744 --a------ C:\WINDOWS\system32\drivers\k750wh.sys
2007-12-30 14:01 . 2007-12-30 14:02 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-30 14:01 . 2007-12-30 14:02 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-26 20:53 . 2007-12-26 20:53 <DIR> d-------- C:\Program Files\Windows Live Favorites
2007-12-26 20:14 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-12-26 20:14 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2007-12-26 20:14 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2007-12-26 01:29 . 2008-01-07 10:45 <DIR> d-------- C:\MDT
2007-12-26 01:28 . 2007-12-26 01:28 <DIR> d-------- C:\Documents and Settings\Xanthe\Application Data\CyberLink
2007-12-26 01:28 . 2007-12-26 01:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2007-12-25 20:55 . 2007-12-25 20:55 268 --ah----- C:\sqmdata01.sqm
2007-12-25 20:55 . 2007-12-25 20:55 244 --ah----- C:\sqmnoopt01.sqm
2007-12-25 20:53 . 2007-12-25 20:53 268 --ah----- C:\sqmdata00.sqm
2007-12-25 20:53 . 2007-12-25 20:53 244 --ah----- C:\sqmnoopt00.sqm
2007-12-25 20:36 . 2008-01-07 10:46 <DIR> d-------- C:\Program Files\Windows Defender
2007-12-25 20:31 . 2007-12-25 20:31 <DIR> d-------- C:\Program Files\IZArc
2007-12-25 18:20 . 2007-12-25 18:20 <DIR> d-------- C:\Documents and Settings\Xanthe\Contacts
2007-12-25 17:54 . 2007-12-26 20:53 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2007-12-25 17:54 . 2007-12-25 17:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Windows Live Toolbar
2007-12-25 17:53 . 2007-12-30 14:04 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-12-25 17:53 . 2007-12-25 17:53 <DIR> d-------- C:\Program Files\MSN Messenger
2007-12-25 08:38 . 2008-01-07 10:45 <DIR> d-------- C:\Documents and Settings\Xanthe\Application Data\OpenOffice.org2
2007-12-25 08:37 . 2007-12-25 08:37 <DIR> d-------- C:\Program Files\OpenOffice.org 2.1
2007-12-25 08:14 . 2007-12-25 08:14 <DIR> d-------- C:\Documents and Settings\Xanthe\Application Data\MSNInstaller
2007-12-25 01:07 . 2007-12-25 01:07 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-12-25 01:00 . 2007-07-09 13:09 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-12-25 00:42 . 2007-12-25 00:42 <DIR> d---s---- C:\Documents and Settings\Xanthe\UserData
2007-12-25 00:39 . 2004-08-03 23:08 26,496 --a------ C:\WINDOWS\system32\dllcache\usbstor.sys
2007-12-25 00:38 . 2007-12-25 00:38 4,128 --a------ C:\INFCACHE.1
2007-12-25 00:08 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-12-25 00:08 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\dllcache\mouhid.sys
2007-12-25 00:08 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-12-25 00:08 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\dllcache\hidusb.sys
2007-12-25 00:07 . 2007-12-25 00:07 <DIR> d-------- C:\Documents and Settings\Xanthe\Application Data\Dell
2007-12-25 00:06 . 2007-12-19 02:04 <DIR> d-------- C:\Documents and Settings\Xanthe\Application Data\InstallShield
2007-12-25 00:06 . 2007-12-19 02:15 <DIR> d-------- C:\Documents and Settings\Xanthe\Application Data\ATI
2007-12-25 00:03 . 2007-12-25 00:03 8,192 --a------ C:\WINDOWS\REGLOCS.OLD
2007-12-19 02:15 . 2007-12-19 02:15 61 --a------ C:\WINDOWS\smscfg.ini
2007-12-19 02:12 . 2007-12-19 02:12 <DIR> d-------- C:\Program Files\Microsoft Works
2007-12-19 02:12 . 2007-12-19 02:12 <DIR> d-------- C:\Program Files\Dell Support Center
2007-12-19 02:12 . 2007-12-19 02:12 <DIR> d-------- C:\Program Files\Common Files\supportsoft
2007-12-19 02:12 . 2007-12-19 02:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SupportSoft
2007-12-19 02:08 . 2007-12-25 00:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-12-19 02:07 . 2007-12-19 02:08 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-12-19 02:07 . 2007-12-19 02:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Dell
2007-12-19 02:06 . 2007-12-19 02:06 <DIR> d-------- C:\Program Files\Roxio
2007-12-19 02:06 . 2007-12-19 02:06 <DIR> d-------- C:\Program Files\CyberLink
2007-12-19 02:06 . 2007-12-19 02:06 <DIR> d-------- C:\Program Files\Common Files\SureThing Shared
2007-12-19 02:06 . 2007-12-19 02:06 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared
2007-12-19 02:06 . 2007-12-19 02:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sonic
2007-12-19 02:06 . 2007-12-19 02:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2007-12-19 02:05 . 2007-12-19 02:05 <DIR> d-------- C:\Program Files\NetWaiting
2007-12-19 02:05 . 2007-12-19 02:05 <DIR> d-------- C:\Program Files\Modem Diagnostic Tool
2007-12-19 02:05 . 2007-12-19 02:05 <DIR> d-------- C:\Program Files\Digital Line Detect
2007-12-19 02:05 . 2007-12-19 02:06 <DIR> d-------- C:\Program Files\Common Files\Roxio Shared
2007-12-19 02:05 . 2007-12-19 02:05 <DIR> d-------- C:\Program Files\ATI Technologies
2007-12-19 02:04 . 2007-12-19 02:04 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2007-12-19 02:04 . 2007-12-19 02:06 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2007-12-19 02:04 . 2007-12-19 02:07 <DIR> d-------- C:\Program Files\Dell
2007-12-19 02:04 . 2007-12-19 02:06 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2007-12-19 02:04 . 2007-12-19 02:04 <DIR> d-------- C:\Program Files\Broadcom
2007-12-19 02:03 . 2007-12-19 02:03 <DIR> d-------- C:\Program Files\Sigmatel
2007-12-19 02:03 . 2007-04-23 21:01 4,939,776 --a------ C:\WINDOWS\system32\stacgui.cpl
2007-12-19 02:03 . 2007-04-23 21:01 1,601,536 --a------ C:\WINDOWS\system32\stlang.dll
2007-12-19 02:03 . 2007-04-23 21:01 303,104 --a------ C:\WINDOWS\stsystra.exe
2007-12-19 02:03 . 2004-08-03 22:58 5,376 --a------ C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2007-12-19 02:03 . 2004-08-03 22:58 5,376 --a------ C:\WINDOWS\system32\dllcache\mspclock.sys
2007-12-19 02:02 . 2007-12-19 02:02 <DIR> d-------- C:\Program Files\CONEXANT
2007-12-19 02:02 . 2004-08-04 00:56 130,048 --a------ C:\WINDOWS\system32\ksproxy.ax
2007-12-19 02:02 . 2004-08-04 00:56 130,048 --a------ C:\WINDOWS\system32\dllcache\ksproxy.ax
2007-12-19 02:02 . 2004-08-03 23:08 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2007-12-19 02:02 . 2004-08-03 23:08 60,288 --a------ C:\WINDOWS\system32\dllcache\drmk.sys
2007-12-19 02:02 . 2004-08-04 00:56 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2007-12-19 02:02 . 2004-08-04 00:56 4,096 --a------ C:\WINDOWS\system32\dllcache\ksuser.dll
2007-12-19 02:01 . 2004-08-04 05:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-12-19 02:01 . 2006-03-17 00:38 28,672 --a------ C:\WINDOWS\system32\verclsid.exe
2007-12-19 02:01 . 2005-06-28 10:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-12-19 01:59 . 2007-12-25 08:36 <DIR> d-------- C:\Program Files\Java
2007-12-19 01:59 . 2007-12-19 01:59 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-19 01:59 . 2006-05-03 02:56 49,265 --a------ C:\WINDOWS\system32\jpicpl32.cpl
2007-12-19 01:57 . 2007-12-19 01:57 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-12-19 01:57 . 2007-06-13 10:23 1,033,216 --------- C:\WINDOWS\system32\dllcache\explorer.exe
2007-12-19 01:57 . 2007-05-17 11:28 549,376 --------- C:\WINDOWS\system32\dllcache\oleaut32.dll
2007-12-19 01:57 . 2007-05-30 10:47 81,664 --------- C:\WINDOWS\system32\dllcache\videoprt.sys
2007-12-19 01:57 . 2007-05-03 10:27 78,720 --------- C:\WINDOWS\system32\dllcache\sdbus.sys
2007-12-19 01:57 . 2007-05-03 10:03 12,032 --------- C:\WINDOWS\system32\dllcache\sffdisk.sys
2007-12-19 01:57 . 2007-05-03 10:03 11,008 --------- C:\WINDOWS\system32\dllcache\sffp_sd.sys

PhilX
2008-01-07, 13:01
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
.

<pre>
----a-w 1,604,096 2008-01-07 10:45:46 C:\Program Files\Dell\QuickSet\quickset .exe
----a-w 159,744 2008-01-04 12:51:08 C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher .exe
</pre>


((((((((((((((((((((((((((((( snapshot@2008-01-06_18.57.04.09 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-06 18:49:46 53,838 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-01-07 10:43:44 53,838 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-01-06 18:49:46 382,260 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-01-07 10:43:44 382,260 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2008-01-07 10:45 551936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-07 10:45 1231872]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe" [2008-01-07 10:45 386048]
"SigmatelSysTrayApp"="stsystra.exe" [2007-04-23 21:01 303104 C:\WINDOWS\stsystra.exe]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2008-01-07 10:45 2101760]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset .exe" [2008-01-07 10:45 1604096]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2008-01-07 10:45 486400]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2008-01-07 10:45 595968]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2008-01-07 10:45 432640]
"RoxioDragToDisc"="C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2008-01-07 10:45 1180160]
"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-01-07 10:45 144384]
"ECenter"="C:\Dell\E-Center\EULALauncher.exe" [2008-01-07 10:45 23552]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-01-07 10:45 22016]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2008-01-07 10:46 897024]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 05:00 15360]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]

C:\Documents and Settings\Xanthe\Start Menu\Programs\Startup\
OpenOffice.org 2.1.lnk - C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe [2006-11-27 16:45:48]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\\WINDOWS\\system32\\ssqrq

R0 atiide;atiide;C:\WINDOWS\system32\DRIVERS\atiide.sys [2007-05-23 14:07]
R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-11 10:35]
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe /service []

.
Contents of the 'Scheduled Tasks' folder
"2008-01-06 19:08:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-01-07 10:41:55 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-07 10:45:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\qrqss.ini 391 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\ssqrq.dll
.
Completion time: 2008-01-07 10:47:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-07 10:47:24
ComboFix2.txt 2008-01-06 18:57:31
.
2008-01-03 23:50:35 --- E O F ---

PhilX
2008-01-07, 13:02
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:52:55, on 07/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Dell\E-Center\EULALauncher.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.BIN
C:\Program Files\Dell\QuickSet\quickset .exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre1.5.0_07\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\PhilX.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://partnerpage.google.com/smallbiz.dell.com/en_uk?hl=en&client=dell-usuk&channel=uk-smb&ibd=1071219
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/root/MyAccount.asp?affid=105-256&dtag=D5B4C3J&langid=
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.1.lnk = C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?769d74ff525b4fa5b59a103963f7943b
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?769d74ff525b4fa5b59a103963f7943b
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1198543405921
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 6736 bytes

Shaba
2008-01-07, 13:08
Hi

It looks like that you will need re-install some programs.

I mean at least these:

C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

But as there doesn't seem to be clean copies (combofix restores it automatically if present), we can do nothing about that.

Open notepad and copy/paste the text in the quotebox below into it:


Rootkit::
C:\WINDOWS\system32\qrqss.ini

File::
C:\Program Files\Dell\QuickSet\quickset .exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher .exe
C:\WINDOWS\system32\ssqrq.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell QuickSet"=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://img.photobucket.com/albums/v666/sUBs/CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

PhilX
2008-01-07, 13:29
Hi Shaba

As far as the reinstall goes that is fine, would it be ok to just copy the "quickset.exe" file from an identical uninfected laptop? or are we losing registry settings as well ?

Here are the logs as requested.

Combofix run 3 part 1

ComboFix 08-01-04.1 - Xanthe 2008-01-07 11:15:59.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.500 [GMT 0:00]
Running from: C:\Documents and Settings\Xanthe\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Xanthe\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Program Files\Dell\QuickSet\quickset .exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher .exe
C:\WINDOWS\system32\ssqrq.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Dell\E-Center\EULALauncher.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe
C:\Program Files\Dell\QuickSet\quickset .exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher .exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\qrqss.ini
C:\WINDOWS\system32\qrqss.ini2
C:\WINDOWS\system32\ssqrq.dll
C:\WINDOWS\system32\ssqrq.exe
C:\WINDOWS\system32\WLTRAY.exe


<pre>
"C:\dell\E-Center\EULALauncher .exe" replaces infected copy of "C:\dell\E-Center\EULALauncher.exe"
"C:\Program Files\ATI Technologies\ATI.ACE\CLIStart .exe" replaces infected copy of "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
"C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe" replaces infected copy of "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe"
"C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe" replaces infected copy of "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe"
"C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv .exe" replaces infected copy of "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
"C:\Program Files\Dell Support Center\bin\sprtcmd .exe" replaces infected copy of "C:\Program Files\Dell Support Center\bin\sprtcmd.exe"
"C:\Program Files\Dell Support Center\gs_agent\custom\dsca .exe" replaces infected copy of "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
"C:\Program Files\Java\jre1.5.0_07\bin\jusched .exe" replaces infected copy of "C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe"
"C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc .exe" replaces infected copy of "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
"C:\Program Files\Synaptics\SynTP\SynTPEnh .exe" replaces infected copy of "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
"C:\Program Files\Windows Defender\MSASCui .exe" replaces infected copy of "C:\Program Files\Windows Defender\MSASCui.exe"
"C:\WINDOWS\system32\WLTRAY .exe" replaces infected copy of "C:\WINDOWS\system32\WLTRAY.exe"
</pre>
.
.
((((((((((((((((((((((((( Files Created from 2007-12-07 to 2008-01-07 )))))))))))))))))))))))))))))))
.

2008-01-07 11:13 . 2008-01-07 11:13 1,392,640 --a------ C:\WINDOWS\system32\WLTRAY.exe
2008-01-06 18:46 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-05 17:53 . 2007-12-19 02:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InstallShield
2008-01-05 17:53 . 2007-12-19 02:15 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ATI
2008-01-04 13:00 . 2008-01-04 13:00 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-04 01:45 . 2008-01-04 01:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-30 14:26 . 2007-12-30 14:26 <DIR> d-------- C:\Documents and Settings\Xanthe\Application Data\Leadertech
2007-12-30 14:08 . 2007-12-30 14:08 <DIR> d-------- C:\Documents and Settings\Xanthe\Application Data\AdobeUM
2007-12-30 14:08 . 2007-12-30 14:08 <DIR> d-------- C:\Documents and Settings\Xanthe\Application Data\AdobeAUM
2007-12-30 14:05 . 2007-12-30 14:06 <DIR> d-------- C:\Documents and Settings\Xanthe\Application Data\Teleca
2007-12-30 14:04 . 2007-12-30 14:04 <DIR> d-------- C:\Program Files\Sony Ericsson
2007-12-30 14:04 . 2008-01-04 12:56 <DIR> d-------- C:\Program Files\Common Files\Teleca Shared
2007-12-30 14:02 . 2007-12-30 14:02 6,144 --a------ C:\WINDOWS\system32\drivers\k750cm.sys
2007-12-30 14:02 . 2007-12-30 14:02 5,744 --a------ C:\WINDOWS\system32\drivers\k750wh.sys
2007-12-30 14:01 . 2007-12-30 14:02 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-30 14:01 . 2007-12-30 14:02 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-26 20:53 . 2007-12-26 20:53 <DIR> d-------- C:\Program Files\Windows Live Favorites
2007-12-26 20:14 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-12-26 20:14 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2007-12-26 20:14 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2007-12-26 01:29 . 2008-01-07 11:19 <DIR> d-------- C:\MDT
2007-12-26 01:28 . 2007-12-26 01:28 <DIR> d-------- C:\Documents and Settings\Xanthe\Application Data\CyberLink
2007-12-26 01:28 . 2007-12-26 01:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2007-12-25 20:55 . 2007-12-25 20:55 268 --ah----- C:\sqmdata01.sqm
2007-12-25 20:55 . 2007-12-25 20:55 244 --ah----- C:\sqmnoopt01.sqm
2007-12-25 20:53 . 2007-12-25 20:53 268 --ah----- C:\sqmdata00.sqm
2007-12-25 20:53 . 2007-12-25 20:53 244 --ah----- C:\sqmnoopt00.sqm
2007-12-25 20:36 . 2008-01-07 11:18 <DIR> d-------- C:\Program Files\Windows Defender
2007-12-25 20:31 . 2007-12-25 20:31 <DIR> d-------- C:\Program Files\IZArc
2007-12-25 18:20 . 2007-12-25 18:20 <DIR> d-------- C:\Documents and Settings\Xanthe\Contacts
2007-12-25 17:54 . 2007-12-26 20:53 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2007-12-25 17:54 . 2007-12-25 17:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Windows Live Toolbar
2007-12-25 17:53 . 2007-12-30 14:04 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-12-25 17:53 . 2007-12-25 17:53 <DIR> d-------- C:\Program Files\MSN Messenger
2007-12-25 08:38 . 2008-01-07 11:19 <DIR> d-------- C:\Documents and Settings\Xanthe\Application Data\OpenOffice.org2
2007-12-25 08:37 . 2007-12-25 08:37 <DIR> d-------- C:\Program Files\OpenOffice.org 2.1
2007-12-25 08:14 . 2007-12-25 08:14 <DIR> d-------- C:\Documents and Settings\Xanthe\Application Data\MSNInstaller
2007-12-25 01:07 . 2007-12-25 01:07 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-12-25 01:00 . 2007-07-09 13:09 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-12-25 00:42 . 2007-12-25 00:42 <DIR> d---s---- C:\Documents and Settings\Xanthe\UserData
2007-12-25 00:39 . 2004-08-03 23:08 26,496 --a------ C:\WINDOWS\system32\dllcache\usbstor.sys
2007-12-25 00:38 . 2007-12-25 00:38 4,128 --a------ C:\INFCACHE.1
2007-12-25 00:08 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-12-25 00:08 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\dllcache\mouhid.sys
2007-12-25 00:08 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-12-25 00:08 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\dllcache\hidusb.sys
2007-12-25 00:07 . 2007-12-25 00:07 <DIR> d-------- C:\Documents and Settings\Xanthe\Application Data\Dell
2007-12-25 00:06 . 2007-12-19 02:04 <DIR> d-------- C:\Documents and Settings\Xanthe\Application Data\InstallShield
2007-12-25 00:06 . 2007-12-19 02:15 <DIR> d-------- C:\Documents and Settings\Xanthe\Application Data\ATI
2007-12-25 00:03 . 2007-12-25 00:03 8,192 --a------ C:\WINDOWS\REGLOCS.OLD
2007-12-19 02:15 . 2007-12-19 02:15 61 --a------ C:\WINDOWS\smscfg.ini
2007-12-19 02:12 . 2007-12-19 02:12 <DIR> d-------- C:\Program Files\Microsoft Works
2007-12-19 02:12 . 2007-12-19 02:12 <DIR> d-------- C:\Program Files\Dell Support Center
2007-12-19 02:12 . 2007-12-19 02:12 <DIR> d-------- C:\Program Files\Common Files\supportsoft
2007-12-19 02:12 . 2007-12-19 02:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SupportSoft
2007-12-19 02:08 . 2007-12-25 00:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-12-19 02:07 . 2007-12-19 02:08 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-12-19 02:07 . 2007-12-19 02:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Dell
2007-12-19 02:06 . 2007-12-19 02:06 <DIR> d-------- C:\Program Files\Roxio
2007-12-19 02:06 . 2007-12-19 02:06 <DIR> d-------- C:\Program Files\CyberLink
2007-12-19 02:06 . 2007-12-19 02:06 <DIR> d-------- C:\Program Files\Common Files\SureThing Shared
2007-12-19 02:06 . 2007-12-19 02:06 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared
2007-12-19 02:06 . 2007-12-19 02:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sonic
2007-12-19 02:06 . 2007-12-19 02:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2007-12-19 02:05 . 2007-12-19 02:05 <DIR> d-------- C:\Program Files\NetWaiting
2007-12-19 02:05 . 2007-12-19 02:05 <DIR> d-------- C:\Program Files\Modem Diagnostic Tool
2007-12-19 02:05 . 2007-12-19 02:05 <DIR> d-------- C:\Program Files\Digital Line Detect
2007-12-19 02:05 . 2007-12-19 02:06 <DIR> d-------- C:\Program Files\Common Files\Roxio Shared
2007-12-19 02:05 . 2007-12-19 02:05 <DIR> d-------- C:\Program Files\ATI Technologies
2007-12-19 02:04 . 2007-12-19 02:04 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2007-12-19 02:04 . 2007-12-19 02:06 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2007-12-19 02:04 . 2007-12-19 02:07 <DIR> d-------- C:\Program Files\Dell
2007-12-19 02:04 . 2007-12-19 02:06 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2007-12-19 02:04 . 2007-12-19 02:04 <DIR> d-------- C:\Program Files\Broadcom
2007-12-19 02:03 . 2007-12-19 02:03 <DIR> d-------- C:\Program Files\Sigmatel
2007-12-19 02:03 . 2007-04-23 21:01 4,939,776 --a------ C:\WINDOWS\system32\stacgui.cpl
2007-12-19 02:03 . 2007-04-23 21:01 1,601,536 --a------ C:\WINDOWS\system32\stlang.dll
2007-12-19 02:03 . 2007-04-23 21:01 303,104 --a------ C:\WINDOWS\stsystra.exe
2007-12-19 02:03 . 2004-08-03 22:58 5,376 --a------ C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2007-12-19 02:03 . 2004-08-03 22:58 5,376 --a------ C:\WINDOWS\system32\dllcache\mspclock.sys
2007-12-19 02:02 . 2007-12-19 02:02 <DIR> d-------- C:\Program Files\CONEXANT
2007-12-19 02:02 . 2004-08-04 00:56 130,048 --a------ C:\WINDOWS\system32\ksproxy.ax
2007-12-19 02:02 . 2004-08-04 00:56 130,048 --a------ C:\WINDOWS\system32\dllcache\ksproxy.ax
2007-12-19 02:02 . 2004-08-03 23:08 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2007-12-19 02:02 . 2004-08-03 23:08 60,288 --a------ C:\WINDOWS\system32\dllcache\drmk.sys
2007-12-19 02:02 . 2004-08-04 00:56 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2007-12-19 02:02 . 2004-08-04 00:56 4,096 --a------ C:\WINDOWS\system32\dllcache\ksuser.dll
2007-12-19 02:01 . 2004-08-04 05:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-12-19 02:01 . 2006-03-17 00:38 28,672 --a------ C:\WINDOWS\system32\verclsid.exe
2007-12-19 02:01 . 2005-06-28 10:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-12-19 01:59 . 2007-12-25 08:36 <DIR> d-------- C:\Program Files\Java
2007-12-19 01:59 . 2007-12-19 01:59 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-19 01:59 . 2006-05-03 02:56 49,265 --a------ C:\WINDOWS\system32\jpicpl32.cpl
2007-12-19 01:57 . 2007-12-19 01:57 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-12-19 01:57 . 2007-06-13 10:23 1,033,216 --------- C:\WINDOWS\system32\dllcache\explorer.exe
2007-12-19 01:57 . 2007-05-17 11:28 549,376 --------- C:\WINDOWS\system32\dllcache\oleaut32.dll
2007-12-19 01:57 . 2007-05-30 10:47 81,664 --------- C:\WINDOWS\system32\dllcache\videoprt.sys
2007-12-19 01:57 . 2007-05-03 10:27 78,720 --------- C:\WINDOWS\system32\dllcache\sdbus.sys
2007-12-19 01:57 . 2007-05-03 10:03 12,032 --------- C:\WINDOWS\system32\dllcache\sffdisk.sys
2007-12-19 01:57 . 2007-05-03 10:03 11,008 --------- C:\WINDOWS\system32\dllcache\sffp_sd.sys

.

PhilX
2008-01-07, 13:29
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
.

((((((((((((((((((((((((((((( snapshot@2008-01-06_18.57.04.09 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-06 18:49:46 53,838 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-01-07 10:49:25 53,838 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-01-06 18:49:46 382,260 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-01-07 10:49:25 382,260 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2008-01-07 11:13 202544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-07 11:13 851968]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe" [2008-01-07 11:13 36975]
"SigmatelSysTrayApp"="stsystra.exe" [2007-04-23 21:01 303104 C:\WINDOWS\stsystra.exe]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2008-01-07 11:13 1392640]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2008-01-07 11:13 90112]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2008-01-07 11:13 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2008-01-07 11:13 81920]
"RoxioDragToDisc"="C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2008-01-07 11:13 1116920]
"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-01-07 11:13 118784]
"ECenter"="C:\Dell\E-Center\EULALauncher.exe" [2008-01-07 11:13 17920]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-01-07 11:13 16384]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2008-01-07 11:13 866584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 05:00 15360]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]

C:\Documents and Settings\Xanthe\Start Menu\Programs\Startup\
OpenOffice.org 2.1.lnk - C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe [2006-11-27 16:45:48]

R0 atiide;atiide;C:\WINDOWS\system32\DRIVERS\atiide.sys [2007-05-23 14:07]
R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-11 10:35]
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe /service []

.
Contents of the 'Scheduled Tasks' folder
"2008-01-06 19:08:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-01-07 11:16:56 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-07 11:19:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\X6DKRY5CJQX4BIOV

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2008-01-07 11:21:02 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-07 11:20:47
ComboFix2.txt 2008-01-07 10:47:32
ComboFix3.txt 2008-01-06 18:57:31
.
2008-01-03 23:50:35 --- E O F ---

PhilX
2008-01-07, 13:30
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:21:58, on 07/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Dell\E-Center\EULALauncher.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.BIN
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\PhilX.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://partnerpage.google.com/smallbiz.dell.com/en_uk?hl=en&client=dell-usuk&channel=uk-smb&ibd=1071219
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/root/MyAccount.asp?affid=105-256&dtag=D5B4C3J&langid=
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.1.lnk = C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?769d74ff525b4fa5b59a103963f7943b
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?769d74ff525b4fa5b59a103963f7943b
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1198543405921
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 6481 bytes

Shaba
2008-01-07, 13:36
Hi

"As far as the reinstall goes that is fine, would it be ok to just copy the "quickset.exe" file from an identical uninfected laptop? or are we losing registry settings as well ?"

If versions are the same, then yes.

Problem is that I removed quickset from starting with windows in order to stop reinfection.

So after you copied that file from another computer to that one you need to do this:

First we'll need to backup registry:

Start -> Run -> regedit -> ok. Then File -> Export. Give it a name and press Save.

Save text below as fix.reg on Notepad (save it as all files (*.*)) on Desktop

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe"

It should look like this -> http://users.telenet.be/bluepatchy/miekiemoes/images/reg.gif

Doubleclick fix.reg, press Yes and ok.

(In case you are unsure how to create a reg file, take a look here (http://www.nellie2.co.uk/file.htm#How_to_Make_a_.Reg_File_) with screenshots.)

Reboot.

After that, you will need to allow that pc to access internet again in order to install antivirus:

Looking over your log, it seems you don't have any evidence of an anti-virus software.

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:

1) Antivir PersonalEdition Classic (http://www.free-av.com/)- Free anti-virus software for Windows. Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition (http://www.avast.com/eng/avast_4_home.html) - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition (http://free.grisoft.com/doc/1) - Free edition of the AVG anti-virus program for Windows.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.

Remember to check that windows own firewall is on, too.

After those steps, please post back a fresh HijackThis log :)

PhilX
2008-01-07, 14:14
Hi Shaba

1. I can not get hold of "quickset.exe" right now as my other daughter has put a password on her laptop and is at school, I can deal with that later or reinstall from the Dell utilities disc supplied with the PC.

2. re anti-virus, yes my fault, I was busy, daughter pestering to use the new laptop, hadn't finished setting it up. I will install AVG free.

3 I also intend to follow recommendations from these forums and install SpywareBlaster and SpywareGuard (SBS&D already installed). I use Firefox everywhere else and will install it on the infected laptop as well, do the same recommendations still apply?

4 Firewall, until recently I have been using Zone Alarm, in December I bought a Netgear Wireless Router so that these new laptops could access the internet. I found that I could not get the router to work properly with Zone Alarm (free) no matter what (router IPs in trusted zone, trusted zone off, etc), I could get a connection but some communications between router and PC where still being blocked and the router could not see the PC name (no file sharing etc). The router has a SPI and NAT filewall, do I still need a personal firewall? Any suggestions? I realise this is off topic so if you can't help thats fine.

As I said I havn't done any of the regedit stuff right now, I have restarted the laptop and done another hijackthis, I don't know if you wanted this now but log follows.

Thanks again

Phil


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:55:33, on 07/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Dell\E-Center\EULALauncher.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.BIN
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre1.5.0_07\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\PhilX.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://partnerpage.google.com/smallbiz.dell.com/en_uk?hl=en&client=dell-usuk&channel=uk-smb&ibd=1071219
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/root/MyAccount.asp?affid=105-256&dtag=D5B4C3J&langid=
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.1.lnk = C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?769d74ff525b4fa5b59a103963f7943b
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?769d74ff525b4fa5b59a103963f7943b
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1198543405921
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 6499 bytes

Shaba
2008-01-07, 14:23
Hi

1. That is fine :)

2. Good.

3. You can wait for those installations until you're clean :)

4. "The router has a SPI and NAT filewall, do I still need a personal firewall?"

Not 100%. I also recommend to install 3rd party software firewall just only after you're clean. I give my suggestions a bit later.

PhilX
2008-01-07, 14:58
Hi

Am I waiting for you to post again? or are you waiting for something from me?

If you are waiting for me please clarify what I should do next.

Please don't take this as me trying to hurry you up.

Phil

Shaba
2008-01-07, 15:00
Hi

Please post back a fresh HijackThis after you have installed AVG free and moved from laptop that file to that computer & run that .reg file, no hurry :)

PhilX
2008-01-07, 19:48
Hi

1. Switched wireless access point back on.
2. Copied "quickset.exe" from other laptop.
3. Regedt export - ok
4. Fix.reg - ok
5. Installed AVG free, during installation AVG offers to get updates and perform scan, perhaps I shouldn't but I loaded all available updates and let it do a scan, it found the quarantined itens from combofix and removed/deleted them. I have included the log from AVG.

6. Ran Hijackthis, log follows.

Phil

AVG results...

"General properties",""
"Report name","Complete Test"
"Start time","1/7/2008 4:57:43 PM"
"End time","1/7/2008 5:30:12 PM (total: 32:27.6 Min)"
"Launch method","Scanning launched manually"
"Scanning result","Threats found"
"Report status","Scanning completed successfully"
" ",""
"Object summary",""
"Scanned","72058"
"Threats Found","21"
"Cleaned","0"
"Moved to vault","3"
"Deleted","17"
"Errors","0"
"C:\QooBox\Quarantine\catchme2008-01-06_185522.14.zip:\byxxust.dll","Trojan horse Downloader.Generic6.ACDC","Infected, Embedded object, Deleted"
"C:\QooBox\Quarantine\catchme2008-01-06_185522.14.zip:\ssqrq.dll","Trojan horse Generic9.AKAR","Infected, Embedded object, Deleted"
"C:\QooBox\Quarantine\catchme2008-01-06_185522.14.zip","","Moved to Vault, Archive"
"C:\QooBox\Quarantine\C\dell\E-Center\EULALauncher.exe.vir","","Deleted"
"C:\QooBox\Quarantine\C\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe.vir","","Deleted"
"C:\QooBox\Quarantine\C\Program Files\Common Files\InstallShield\UpdateService\issch.exe.vir","","Deleted"
"C:\QooBox\Quarantine\C\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe.vir","","Deleted"
"C:\QooBox\Quarantine\C\Program Files\Dell\QuickSet\quickset .exe.vir","","Deleted"
"C:\QooBox\Quarantine\C\Program Files\Dell\QuickSet\quickset .exe.vir","","Deleted"
"C:\QooBox\Quarantine\C\Program Files\Dell Support Center\bin\sprtcmd.exe.vir","","Deleted"
"C:\QooBox\Quarantine\C\Program Files\Dell Support Center\gs_agent\custom\dsca.exe.vir","","Deleted"
"C:\QooBox\Quarantine\C\Program Files\Java\jre1.5.0_07\bin\jusched.exe.vir","","Deleted"
"C:\QooBox\Quarantine\C\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe.vir","","Deleted"
"C:\QooBox\Quarantine\C\Program Files\Synaptics\SynTP\SynTPEnh.exe.vir","","Deleted"
"C:\QooBox\Quarantine\C\Program Files\Windows Defender\MSASCui.exe.vir","","Deleted"
"C:\QooBox\Quarantine\C\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe.vir","","Deleted"
"C:\QooBox\Quarantine\C\WINDOWS\system32\obhstkxv.dll.vir","","Moved to Vault"
"C:\QooBox\Quarantine\C\WINDOWS\system32\pfcfbrxt.dll.vir","","Moved to Vault"
"C:\QooBox\Quarantine\C\WINDOWS\system32\ssqrq.dll.vir","","Deleted"
"C:\QooBox\Quarantine\C\WINDOWS\system32\ssqrq.exe.vir","","Deleted"
"C:\QooBox\Quarantine\C\WINDOWS\system32\usnserv.exe.vir","","Deleted"
"C:\QooBox\Quarantine\C\WINDOWS\system32\WLTRAY.exe.vir","","Deleted"

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:38:44, on 07/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Dell\E-Center\EULALauncher.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.BIN
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.5.0_07\bin\jucheck.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Trend Micro\HijackThis\PhilX.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://partnerpage.google.com/smallbiz.dell.com/en_uk?hl=en&client=dell-usuk&channel=uk-smb&ibd=1071219
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/root/MyAccount.asp?affid=105-256&dtag=D5B4C3J&langid=
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.1.lnk = C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?769d74ff525b4fa5b59a103963f7943b
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?769d74ff525b4fa5b59a103963f7943b
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1198543405921
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7143 bytes

Shaba
2008-01-07, 19:52
Hi

AVG found only quarantined ones, let's find out if there are more:

Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:

o Scan using the following Anti-Virus database:

+ Extended (If available otherwise Standard)

o Scan Options:

+ Scan Archives
+ Scan Mail Bases

Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.

Note: This scanner will work with Internet Explorer Only!

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post:

- a fresh HijackThis log
- kaspersky report

PhilX
2008-01-07, 21:24
Hi

Here are the Kaspersky and hijackthis reports.

Phil

PhilX
2008-01-07, 21:25
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, January 07, 2008 7:18:44 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 7/01/2008
Kaspersky Anti-Virus database records: 503726
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 46061
Number of viruses found: 1
Number of infected objects: 3
Number of suspicious objects: 0
Duration of the scan process: 00:35:50

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-12252007-203614.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\SupportSoft\DellSupportCenter\SYSTEM\state\logs\sprtcmd.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Xanthe\Application Data\Microsoft\MSNLiveFav\LiveFavorites.xml Object is locked skipped
C:\Documents and Settings\Xanthe\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Xanthe\Local Settings\Application Data\ApplicationHistory\CLI.EXE.c88dbd71.ini.inuse Object is locked skipped
C:\Documents and Settings\Xanthe\Local Settings\Application Data\ApplicationHistory\EULALauncher.exe.3f62b452.ini.inuse Object is locked skipped
C:\Documents and Settings\Xanthe\Local Settings\Application Data\ApplicationHistory\sprtcmd.exe.63e7480d.ini.inuse Object is locked skipped
C:\Documents and Settings\Xanthe\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Xanthe\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Xanthe\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{8930AFD1-A5D3-4EDD-8FBA-229A266E3D3F} Object is locked skipped
C:\Documents and Settings\Xanthe\Local Settings\Application Data\SupportSoft\DellSupportCenter\Xanthe\state\logs\sprtcmd.log Object is locked skipped
C:\Documents and Settings\Xanthe\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Xanthe\Local Settings\Temp\Perflib_Perfdata_1a8.dat Object is locked skipped
C:\Documents and Settings\Xanthe\Local Settings\Temp\Perflib_Perfdata_c6c.dat Object is locked skipped
C:\Documents and Settings\Xanthe\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Xanthe\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Xanthe\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP18\A0003789.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP18\A0003793.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP18\A0003814.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP18\A0003815.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP18\A0003817.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP18\A0003818.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP18\A0003819.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP18\A0003820.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP18\A0003821.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP18\A0003822.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP18\A0003823.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP18\A0003824.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP18\A0003825.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP18\A0003826.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP18\A0003827.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP18\A0003828.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP18\A0003829.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP18\A0003830.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP18\A0003831.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP19\A0003847.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP19\A0003848.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP19\A0003849.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP19\A0003850.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP19\A0003852.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP19\A0003853.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP19\A0003854.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP19\A0003855.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP19\A0003856.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP19\A0003857.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP19\A0003858.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP19\A0003859.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP19\A0003860.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP19\A0003861.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP19\A0003862.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP19\A0003863.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP19\A0003868.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP19\A0003870.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP19\A0003871.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP19\A0003872.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP19\A0003873.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP19\A0003874.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP19\A0003875.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP19\A0003876.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP19\A0003877.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP19\A0003878.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP19\A0003879.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP19\A0003880.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP19\A0003881.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP19\A0003882.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP19\A0003883.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP19\A0003884.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP19\A0003885.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP20\A0003913.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP20\A0003918.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP20\A0003919.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP20\A0003920.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP20\A0003921.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP20\A0003923.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP20\A0003924.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP20\A0003925.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP20\A0003926.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP20\A0003927.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP20\A0003928.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP20\A0003929.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP20\A0003930.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP20\A0003931.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP20\A0003932.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP20\A0003933.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP20\A0003934.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP20\A0003936.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP20\A0003946.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP20\A0003956.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP20\A0003957.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP20\A0003958.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP20\A0003960.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP20\A0003961.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP20\A0003963.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP20\A0003964.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP20\A0003965.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP20\A0003966.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP20\A0003967.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP20\A0003968.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP20\A0003969.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP20\A0003970.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP20\A0003971.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP21\A0003990.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP21\A0003996.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP21\A0003997.exe Object is locked skipped

PhilX
2008-01-07, 21:26
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP21\A0003999.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP21\A0004002.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP21\A0004006.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP21\A0004007.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP21\A0004008.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP21\A0004009.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP21\A0004010.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP21\A0004012.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP21\A0004013.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP21\A0004014.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP21\A0004015.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP21\A0004016.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP21\A0004991.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP21\A0004994.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP21\A0004997.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP21\A0004998.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP21\A0005002.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP21\A0005004.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP21\A0005006.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP21\A0005008.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP21\A0005010.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP21\A0005011.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP21\A0005012.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP21\A0005013.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP21\A0005014.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP21\A0005015.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP21\A0005016.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP22\A0005063.rbf Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP23\A0005155.rbf Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0005171.rbf Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006115.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006119.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006121.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006125.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006126.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006130.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006131.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006132.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006133.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006135.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006136.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006137.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006138.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006139.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006156.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006161.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006162.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006166.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006167.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006168.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006169.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006170.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006172.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006173.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006174.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006176.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006177.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006179.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006198.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006204.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006206.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006207.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006209.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006212.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006213.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006214.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006215.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006217.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006218.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006219.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006220.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006221.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006234.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006235.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006236.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006237.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006238.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006239.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006240.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006241.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006242.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006243.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006244.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006245.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006246.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006247.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006274.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006275.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006278.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006279.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006281.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006283.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006284.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006286.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006287.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006288.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006289.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006291.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006292.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006310.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006311.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006313.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006314.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006316.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006317.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006318.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006319.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006320.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006321.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006322.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006323.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006324.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP24\A0006328.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP25\A0006348.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP25\A0006349.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP25\A0006350.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP25\A0006351.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP25\A0006353.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP25\A0006354.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP25\A0006355.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP25\A0006356.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP25\A0006357.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP25\A0006358.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP25\A0006359.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP25\A0006360.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP25\A0006361.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP26\A0006366.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP26\A0006368.dll Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP26\A0006369.dll Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP26\A0006372.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP26\A0006373.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP26\A0006374.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP26\A0006375.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP26\A0006376.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP26\A0006377.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP26\A0006378.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP26\A0006379.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP26\A0006380.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP26\A0006381.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP26\A0006382.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP26\A0006383.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP26\A0006384.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP26\A0006385.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP26\A0006395.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP26\A0006401.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP26\A0006408.dll Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP26\A0006409.dll Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP27\A0006490.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP27\A0006491.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP27\A0006493.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP27\A0006494.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP27\A0006495.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP27\A0006497.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP27\A0006498.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP27\A0006500.exe Object is locked skipped

PhilX
2008-01-07, 21:27
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP27\A0006501.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP27\A0006503.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP27\A0006504.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP27\A0006505.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP27\A0006506.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP27\A0006508.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP29\A0006519.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP29\A0006520.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP29\A0006521.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP29\A0006522.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP29\A0006523.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP29\A0006524.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP29\A0006525.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP29\A0006526.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP29\A0006527.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP29\A0006528.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP29\A0006529.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP29\A0006530.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP29\A0006531.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP29\A0006532.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP30\A0006536.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP30\A0006537.dll Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP30\A0006538.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP30\A0006539.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP30\A0006540.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP30\A0006541.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP30\A0006542.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP30\A0006543.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP30\A0006544.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP30\A0006545.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP30\A0006546.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP30\A0006547.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP30\A0006548.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP30\A0006549.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP30\A0006550.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP30\A0006551.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP31\A0006619.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP31\A0006620.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP31\A0006622.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP31\A0006623.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP31\A0006624.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP31\A0006625.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP31\A0006626.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP31\A0006627.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP31\A0006628.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP31\A0006629.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP31\A0006630.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP31\A0006631.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP31\A0006632.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP31\A0006633.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP33\A0006644.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP33\A0006646.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP33\A0006647.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP33\A0006648.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP33\A0006649.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP33\A0006650.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP33\A0006651.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP33\A0006652.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP33\A0006653.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP33\A0006654.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP33\A0006655.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP33\A0006656.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP33\A0006657.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP34\A0006658.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP34\A0006660.dll Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP34\A0006661.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP34\A0006662.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP34\A0006663.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP34\A0006664.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP34\A0006665.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP34\A0006666.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP34\A0006667.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP34\A0006668.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP34\A0006669.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP34\A0006670.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP34\A0006671.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP34\A0006672.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP34\A0006741.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP35\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{AC57E7D5-489C-480C-8B18-63BEAC22076B}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

PhilX
2008-01-07, 21:28
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:20:22, on 07/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Dell\E-Center\EULALauncher.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.BIN
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.5.0_07\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\PhilX.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://partnerpage.google.com/smallbiz.dell.com/en_uk?hl=en&client=dell-usuk&channel=uk-smb&ibd=1071219
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/root/MyAccount.asp?affid=105-256&dtag=D5B4C3J&langid=
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.1.lnk = C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?769d74ff525b4fa5b59a103963f7943b
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?769d74ff525b4fa5b59a103963f7943b
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1198543405921
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7272 bytes

Shaba
2008-01-08, 15:29
Hi

Logs look good.

All viruses are in system restore and inactive.

I give you later instructions how to empty it.

Other than that, any problems left?

PhilX
2008-01-08, 17:33
Hi

No it seems to be working OK. I have not done much else with it while waiting for the OK from you.

I just need to finish off securing it and tidying up (I want to cut down the number of startup processes etc).

As well as anything else you recommend I intend to upgrade to IE7 as it gets used anyway and install Firefox.

Thanks very much for your help, very educational apart from anything else.

Phil

Shaba
2008-01-08, 17:36
Hi

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update: Download the latest version of Java Runtime Environment (JRE) 6 Update 3 (http://java.sun.com/javase/downloads/index.jsp) and save it to your desktop.
Scroll down to where it says "Java Runtime Environment (JRE) 6u3...allows end-users to run Java applications".
Click the "Download" button to the right.
Read the License Agreement and then check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation and save the file to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.

If you like install 3rd party firewall, see below:

Looking over your log, it seems you don't have any evidence of a third party firewall.

As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:

1) Comodo (http://www.personalfirewall.comodo.com/)
2) Online Armor (http://www.tallemu.com/online_armor_free.html)
3) Sunbelt/Kerio (http://www.sunbelt-software.com/Kerio-Download.cfm)
4) Agnitum (http://www.agnitum.com/products/outpostfree/download.php)
5) ZoneAlarm (http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?dc=12bms&ctry=US&lang=en&lid=nav_za) (uncheck ZoneAlarm Spy Blocker during installation if you choose this one)

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

Next we remove all used tools.

Please download OTMoveIt (http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe) and save it to desktop.

Double-click OTMoveIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.


Note: If you receive a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet, please allow it to do so.

Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)

Re-enable system restore with instructions from tutorial above

Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialize and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Install Ad-Aware - Install and download Ad-Aware. You should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

A tutorial on installing & using this product can be found here:

Using Ad-aware 2007 to remove Spyware, Malware, & Hijackers from Your Computer (http://www.bleepingcomputer.com/forums/?showtutorial=48)


Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)


Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar (http://toolbar.google.com/) <= Get the free google toolbar to help stop pop up windows.
Comodo BOCLEAN (http://www.comodo.com/boclean/boclean.html) <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)

Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://castlecops.com/postlite7736-.html)

Happy surfing and stay clean! :bigthumb:

Shaba
2008-01-10, 12:35
Since this issue appears resolved ... this Topic is closed. Glad I could help.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.