PDA

View Full Version : Pretty Badly Infected



mike_biscup
2008-07-09, 02:41
Hello and thanks in advance for any assistance you might be able to lend.

I am new to this but it seems like everyone posts a HijackThis log so I will too.

I have NAV 2005, Trend Micro PC Cillin, Avast Aw-Aware, and Spybot and seem to have some combination of Virtumonde, Smitfraud-C.coreservice, and Zenosearch (probably just symptom of first two?)

Better ask in advance ... once I post this thing where do I go and when to look for any responses that I might get?

In any case here is my log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:08:25 PM, on 7/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\dlcqcoms.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5061031
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5061031
R3 - URLSearchHook: (no name) - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit.exe
O2 - BHO: (no name) - {20F9FAE6-FF29-4525-9571-2471B053E94C} - (no file)
O2 - BHO: (no name) - {3B2E1F0E-FC05-4735-8CC8-CA7BB1EA7463} - C:\WINDOWS\system32\vtUnnkkK.dll (file missing)
O2 - BHO: (no name) - {3FC6B4BA-D3AD-4C7E-903B-49B87DE3ACF8} - C:\WINDOWS\system32\hgGawUlm.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {595AB1CB-B89B-45CE-8FC4-B4CF7E5A4FD4} - (no file)
O2 - BHO: (no name) - {5CC0BD31-5697-4060-AFC6-1BFAB71CEA66} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MySidesearch Search Assistant - {9506910A-0F94-4ea1-B567-7070428B8B2B} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: gooochi browser optimizer - {b19f8033-1012-5f5e-57ad-deba1db831b2} - (no file)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: {60cd72d7-d2bb-8a89-5ee4-27037a2ad00d} - {d00da2a7-3072-4ee5-98a8-bb2d7d27dc06} - C:\WINDOWS\system32\qkmjrd.dll
O2 - BHO: (no name) - {F7FA66F2-434E-4D28-85A1-752DE177FA52} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MemoryCardManager] C:\Program Files\Dell Photo AIO Printer 966\memcard.exe
O4 - HKLM\..\Run: [Windows Console] wkssvc.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Dell PC Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [dlcqmon.exe] "C:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1168723584823
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1215539304140
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab53083.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.31.5/ttinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlcq_device - - C:\WINDOWS\system32\dlcqcoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 11148 bytes

mike_biscup
2008-07-10, 19:55
Hi ... just replying to myself ... hopefully someone will help me out.

The virus's that I seem to have are Virtumonde, Smitfraud and zenosearch.

I have managed to get a few Microsoft updates run hoping that I could get some relief by installing ie7 but no help at all.

Virus seems to become active when I launch ie.

I have a newer version of the hijack log.

Please help?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:46:02 AM, on 7/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\dlcqcoms.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5061031
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5061031
R3 - URLSearchHook: (no name) - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - (no file)
O2 - BHO: (no name) - {20F9FAE6-FF29-4525-9571-2471B053E94C} - (no file)
O2 - BHO: (no name) - {3B2E1F0E-FC05-4735-8CC8-CA7BB1EA7463} - (no file)
O2 - BHO: (no name) - {3FC6B4BA-D3AD-4C7E-903B-49B87DE3ACF8} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {595AB1CB-B89B-45CE-8FC4-B4CF7E5A4FD4} - (no file)
O2 - BHO: (no name) - {5CC0BD31-5697-4060-AFC6-1BFAB71CEA66} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MySidesearch Search Assistant - {9506910A-0F94-4ea1-B567-7070428B8B2B} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: gooochi browser optimizer - {b19f8033-1012-5f5e-57ad-deba1db831b2} - (no file)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: {60cd72d7-d2bb-8a89-5ee4-27037a2ad00d} - {d00da2a7-3072-4ee5-98a8-bb2d7d27dc06} - C:\WINDOWS\system32\qkmjrd.dll
O2 - BHO: (no name) - {F7FA66F2-434E-4D28-85A1-752DE177FA52} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [MemoryCardManager] C:\Program Files\Dell Photo AIO Printer 966\memcard.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [dlcqmon.exe] "C:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-21-1767554826-2157576197-3961115364-1007\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" (User 'Marissa')
O4 - HKUS\S-1-5-21-1767554826-2157576197-3961115364-1007\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup (User 'Marissa')
O4 - HKUS\S-1-5-21-1767554826-2157576197-3961115364-1007\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Marissa')
O4 - HKUS\S-1-5-21-1767554826-2157576197-3961115364-1007\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Marissa')
O4 - HKUS\S-1-5-21-1767554826-2157576197-3961115364-1007\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (User 'Marissa')
O4 - HKUS\S-1-5-21-1767554826-2157576197-3961115364-1007\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Marissa')
O4 - HKUS\S-1-5-21-1767554826-2157576197-3961115364-1007\..\Run: [Microsoft Update] C:\WINDOWS\system32\spool.exe (User 'Marissa')
O4 - HKUS\S-1-5-21-1767554826-2157576197-3961115364-1007\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp (User 'Marissa')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - S-1-5-21-1767554826-2157576197-3961115364-1007 Startup: LimeWire On Startup.lnk = C:\RECYCLER\S-1-5-21-1767554826-2157576197-3961115364-1007\Dc17.jpg (User 'Marissa')
O4 - S-1-5-21-1767554826-2157576197-3961115364-1007 User Startup: LimeWire On Startup.lnk = C:\RECYCLER\S-1-5-21-1767554826-2157576197-3961115364-1007\Dc17.jpg (User 'Marissa')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1168723584823
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1215539304140
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab53083.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.31.5/ttinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlcq_device - - C:\WINDOWS\system32\dlcqcoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 11953 bytes

shelf life
2008-07-13, 02:10
hi,

we will start with combofix:

Download combofix from one of these links and save it to your Desktop:

http://subs.geekstogo.com/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.

mike_biscup
2008-07-14, 21:23
Thank you Shelf Life ... ComboFix is currently running. Hopefully this works. I appreciate your willingness to take time to read thru these things and help. Do you want me to redo the hijack scan and repost or the combofix log or both?

Thanks again,

mike_biscup
2008-07-14, 21:31
Ok ... I am an idiot ... I just reread you post and see that you want the listings ... I will get them posted.

mike_biscup
2008-07-14, 22:15
Ok ... Here is Combofix log:

ComboFix 08-07-13.14 - Dad and Mom 2008-07-14 11:11:00.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.660 [GMT -7:00]
Running from: C:\Documents and Settings\Dad and Mom\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\tn3
C:\WINDOWS\admintxt.txt
C:\WINDOWS\BM039104a0.txt
C:\WINDOWS\cookies.ini
C:\WINDOWS\ctfmon32.exe
C:\WINDOWS\ctrlpan.dll
C:\WINDOWS\directx32.exe
C:\WINDOWS\dnsrelay.dll
C:\WINDOWS\editpad.exe
C:\WINDOWS\explore.exe
C:\WINDOWS\explorer32.exe
C:\WINDOWS\funniest.exe
C:\WINDOWS\funny.exe
C:\WINDOWS\gfmnaaa.dll
C:\WINDOWS\helpcvs.exe
C:\WINDOWS\inetinf.exe
C:\WINDOWS\internet.exe
C:\WINDOWS\msconfd.dll
C:\WINDOWS\msspi.dll
C:\WINDOWS\mswsc10.dll
C:\WINDOWS\mswsc20.dll
C:\WINDOWS\qttasks.exe
C:\WINDOWS\quicken.exe
C:\WINDOWS\rundll16.exe
C:\WINDOWS\rundll32.vbe
C:\WINDOWS\searchword.dll
C:\WINDOWS\sistem.exe
C:\WINDOWS\svchost32.exe
C:\WINDOWS\svcinit.exe
C:\WINDOWS\system32\1.bat
C:\WINDOWS\system32\2.bat
C:\WINDOWS\system32\anevtxmp.ini
C:\WINDOWS\system32\Ayaaayxx.ini
C:\WINDOWS\system32\Ayaaayxx.ini2
C:\WINDOWS\system32\deMUDcfe.ini
C:\WINDOWS\system32\deMUDcfe.ini2
C:\WINDOWS\system32\emfwfveo.dll
C:\WINDOWS\system32\f10
C:\WINDOWS\system32\gwydknum.ini
C:\WINDOWS\system32\KkknnUtv.ini
C:\WINDOWS\system32\KkknnUtv.ini2
C:\WINDOWS\system32\lurexfet.ini
C:\WINDOWS\system32\mlUwaGgh.ini
C:\WINDOWS\system32\mlUwaGgh.ini2
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\nypijatc.ini
C:\WINDOWS\system32\oevfwfme.ini
C:\WINDOWS\system32\OnqtBcfe.ini
C:\WINDOWS\system32\OnqtBcfe.ini2
C:\WINDOWS\system32\ophousmp.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pipxijvg.ini
C:\WINDOWS\system32\qkmjrd.dll
C:\WINDOWS\system32\uCceNqru.ini
C:\WINDOWS\system32\uCceNqru.ini2
C:\WINDOWS\system32\weeupwhi.ini
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\wqgcfumd.ini
C:\WINDOWS\system32\ypdocbvr.ini
C:\WINDOWS\time.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TNIDRIVER
-------\Service_TnIDriver


((((((((((((((((((((((((( Files Created from 2008-06-14 to 2008-07-14 )))))))))))))))))))))))))))))))
.

2008-07-09 10:54 . 2008-07-09 10:54 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-07-09 10:54 . 2008-07-09 10:54 <DIR> d-------- C:\WINDOWS\system32\en
2008-07-09 10:54 . 2008-07-09 10:54 <DIR> d-------- C:\WINDOWS\system32\bits
2008-07-09 10:54 . 2008-07-09 10:54 <DIR> d-------- C:\WINDOWS\l2schemas
2008-07-09 10:52 . 2008-07-09 10:54 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-07-09 10:42 . 2008-04-13 17:11 1,888,992 --------- C:\WINDOWS\system32\ati3duag.dll
2008-07-09 10:10 . 2008-04-22 21:16 6,066,176 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-07-09 10:10 . 2007-04-17 02:32 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-07-09 10:10 . 2007-03-07 22:10 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-07-09 10:10 . 2008-04-22 21:16 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-07-09 10:10 . 2008-04-22 21:16 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-07-09 10:10 . 2008-04-22 21:16 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-07-09 10:10 . 2008-04-22 21:16 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2008-07-09 10:10 . 2008-04-22 21:16 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-07-09 10:10 . 2008-04-22 00:39 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-07-09 09:09 . 2008-07-09 09:10 788 --a------ C:\WINDOWS\Active Setup Log.BAK
2008-07-09 08:14 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-07-09 08:14 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-07-08 11:22 . 2008-07-08 11:22 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-07-07 13:20 . 2008-07-07 13:20 <DIR> d-------- C:\Program Files\Alwil Software
2008-07-03 09:54 . 2008-07-03 09:54 <DIR> d-------- C:\Program Files\Abexo
2008-07-03 08:53 . 2008-04-22 00:40 625,664 --------- C:\WINDOWS\system32\dllcache\iexplore.exe
2008-07-02 16:06 . 2008-07-02 16:06 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-07-02 11:57 . 2008-07-02 11:57 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-02 11:57 . 2008-07-02 14:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-02 11:56 . 2008-07-02 11:49 9,722,720 --a------ C:\spybotsd152.exe
2008-06-30 13:02 . 2008-07-07 13:17 <DIR> d-------- C:\Program Files\Norton AntiVirus
2008-06-30 13:02 . 2008-06-30 13:25 <DIR> d-------- C:\Documents and Settings\Dad and Mom\Application Data\Symantec
2008-06-30 12:43 . 2008-07-07 13:19 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-30 12:43 . 2008-07-07 13:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-27 20:09 . 2008-06-27 20:09 13,942 --a------ C:\WINDOWS\system32\iphone-011.ico
2008-06-27 08:05 . 2008-07-07 09:24 110,419 --a------ C:\WINDOWS\BM039104a0.xml
2008-06-27 07:04 . 2008-06-30 13:22 <DIR> d-------- C:\Documents and Settings\Dad and Mom\Application Data\LimeWire
2008-06-27 07:00 . 2008-06-27 07:05 <DIR> d--hs---- C:\Documents and Settings\Dad and Mom\!
2008-06-26 16:24 . 2008-06-27 15:20 <DIR> d-------- C:\Documents and Settings\Zach\Application Data\LimeWire
2008-06-26 16:20 . 2008-06-26 16:28 <DIR> d--hs---- C:\Documents and Settings\Zach\!
2008-06-26 15:17 . 2008-06-26 15:17 9,662 --a------ C:\WINDOWS\system32\pinkip.ico
2008-06-26 10:50 . 2008-07-02 09:14 <DIR> d-------- C:\WINDOWS\system32\xsir
2008-06-26 10:50 . 2008-06-26 10:50 <DIR> d-------- C:\WINDOWS\system32\vec3
2008-06-26 10:50 . 2008-06-27 07:24 <DIR> d-------- C:\WINDOWS\system32\bam
2008-06-26 10:50 . 2008-06-26 12:20 <DIR> d--hs---- C:\Documents and Settings\Marissa\!
2008-06-26 10:49 . 2008-06-30 15:41 <DIR> d-------- C:\WINDOWS\system32\modtrux05
2008-06-26 10:49 . 2008-06-26 10:49 34,304 --a------ C:\WINDOWS\system32\qoMFvsQJ.dll.vir
2008-06-21 18:57 . 2008-06-28 17:50 <DIR> d-------- C:\Documents and Settings\Marissa\Application Data\LimeWire
2008-06-20 10:46 . 2008-06-20 10:46 245,248 --------- C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 10:46 . 2008-06-20 10:46 147,968 --------- C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 04:51 . 2008-06-20 04:51 361,600 --------- C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 04:40 . 2008-06-20 04:40 138,496 --------- C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 04:08 . 2008-06-20 04:08 225,856 --------- C:\WINDOWS\system32\dllcache\tcpip6.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-09 18:04 --------- d-----w C:\Program Files\MSN Messenger
2008-07-08 23:07 --------- d-----w C:\Program Files\Trend Micro
2008-07-02 16:45 --------- d-----w C:\Program Files\dl_cats
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-14 03:12 --------- d-----w C:\Program Files\iTunes
2008-06-14 03:12 --------- d-----w C:\Program Files\iPod
2008-06-14 03:10 --------- d-----w C:\Program Files\QuickTime
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 04:36 --------- d-----w C:\Program Files\Abbyy FineReader 6.0 Sprint
2008-06-12 01:15 --------- d-----w C:\Program Files\Dell Photo AIO Printer 966
2008-06-06 15:03 --------- d-----w C:\Program Files\THQ
2008-06-01 02:01 --------- d-----w C:\Documents and Settings\Marissa\Application Data\acccore
2008-06-01 01:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-06-01 01:57 --------- d-----w C:\Program Files\AIM6
2008-06-01 01:56 --------- d-----w C:\Program Files\Viewpoint
2008-06-01 01:56 --------- d-----w C:\Program Files\Common Files\AOL
2008-06-01 01:56 --------- d-----w C:\Program Files\AIM Search
2008-06-01 01:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-06-01 01:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-05-18 02:29 --------- d-----w C:\Program Files\Common Files\Adobe AIR
2008-05-18 02:29 --------- d-----w C:\Program Files\Adobe Media Player
2008-04-14 00:12 69,120 ----a-w C:\WINDOWS\notepad.exe
2008-04-14 00:12 50,688 ----a-w C:\WINDOWS\twain_32.dll
2008-04-14 00:12 32,866 ------w C:\WINDOWS\slrundll.exe
2008-04-14 00:12 283,648 ----a-w C:\WINDOWS\winhlp32.exe
2008-04-14 00:12 146,432 ----a-w C:\WINDOWS\regedit.exe
2008-04-14 00:12 10,752 ----a-w C:\WINDOWS\hh.exe
2008-04-14 00:12 1,033,728 ----a-w C:\WINDOWS\explorer.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2006-07-16 20:29 389120]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 17:12 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-10 23:09 68856]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 06:15 151552]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 04:20 122940]
"MemoryCardManager"="C:\Program Files\Dell Photo AIO Printer 966\memcard.exe" [2006-06-27 04:34 299008]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-16 07:39 7323648]
"dlcqmon.exe"="C:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exe" [2006-06-20 10:37 286720]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 09:20 282624 C:\WINDOWS\stsystra.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-13 17:12 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-10-31 14:56:41 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKLM\~\startupfolder\C:^Documents and Settings^Dad and Mom^Start Menu^Programs^Startup^Deewoo.lnk]
backup=C:\WINDOWS\pss\Deewoo.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Dad and Mom^Start Menu^Programs^Startup^DW_Start.lnk]
backup=C:\WINDOWS\pss\DW_Start.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00a2373c
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM039104a0
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{23-37-79-93-DW}

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\dlcqcoms.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 16:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 16:16]
R2 dlcq_device;dlcq_device;C:\WINDOWS\system32\dlcqcoms.exe [2006-07-13 14:27]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 14:38]

.
Contents of the 'Scheduled Tasks' folder
"2008-07-13 05:29:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-14 18:48:04 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-{b256eb0e-3e79-3f37-8d0c-831caf7b6b25} - C:\WINDOWS\system32\{dfd1d945-243c-d981-ac7d-2a4bb361c658}.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-14 11:32:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-07-14 11:51:13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-14 18:51:10

Pre-Run: 214,056,456,192 bytes free
Post-Run: 216,039,800,832 bytes free

254 --- E O F --- 2008-07-11 10:01:13





******************************************************************************************************************************************************************************
And Here is the HijackThis log:

******************************************************************************************************************************************************************************




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:08:15 PM, on 7/14/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\dlcqcoms.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5061031
R3 - URLSearchHook: (no name) - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [MemoryCardManager] C:\Program Files\Dell Photo AIO Printer 966\memcard.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [dlcqmon.exe] "C:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1168723584823
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1215539304140
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab53083.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.31.5/ttinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlcq_device - - C:\WINDOWS\system32\dlcqcoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9280 bytes



I won't use the machine unitl I here from you if there are firther steps that I should take.

Thanks again,

Mike

shelf life
2008-07-15, 00:55
hi,

thanks for the info. we will use combofix and get another download to run.

first combofix:

Click Start, then Run and type Notepad and click OK.
Copy/paste the text in the code box below into notepad:




File::
C:\WINDOWS\system32\d3d8caps.dat
C:\WINDOWS\system32\qoMFvsQJ.dll.vir

Folder::
C:\WINDOWS\system32\modtrux05

DirLook::
C:\WINDOWS\system32\scripting
C:\WINDOWS\system32\en
C:\WINDOWS\system32\bits
C:\WINDOWS\l2schemas
C:\WINDOWS\system32\xsir
C:\WINDOWS\system32\vec3
C:\WINDOWS\system32\bam


Name the Notepad file CFScript.txt and Save it to your desktop.
now locate the file you just saved and the combofix icon, both on your desktop.
using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log
please post the new combofix log and a new hjt log.

after the above download and run malwarebytes. post the combofix log and the malwarebytes log please.

Please download Malwarebytes' Anti-Malware to your desktop:

http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

mike_biscup
2008-07-15, 02:45
Ok ... First ComboFix was run again as directed ... then Hijack This was run and then malAware was run ... the logs for these three are listed below:

COMBOFIX:

ComboFix 08-07-13.14 - Dad and Mom 2008-07-14 15:35:41.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.720 [GMT -7:00]
Running from: C:\Documents and Settings\Dad and Mom\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Dad and Mom\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\d3d8caps.dat
C:\WINDOWS\system32\qoMFvsQJ.dll.vir
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM039104a0.xml
C:\WINDOWS\system32\d3d8caps.dat
C:\WINDOWS\system32\modtrux05
C:\WINDOWS\system32\qoMFvsQJ.dll.vir

.
((((((((((((((((((((((((( Files Created from 2008-06-14 to 2008-07-14 )))))))))))))))))))))))))))))))
.

2008-07-09 10:54 . 2008-07-09 10:54 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-07-09 10:54 . 2008-07-09 10:54 <DIR> d-------- C:\WINDOWS\system32\en
2008-07-09 10:54 . 2008-07-09 10:54 <DIR> d-------- C:\WINDOWS\system32\bits
2008-07-09 10:54 . 2008-07-09 10:54 <DIR> d-------- C:\WINDOWS\l2schemas
2008-07-09 10:52 . 2008-07-09 10:54 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-07-09 10:42 . 2008-04-13 17:11 1,888,992 --------- C:\WINDOWS\system32\ati3duag.dll
2008-07-09 10:10 . 2008-04-22 21:16 6,066,176 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-07-09 10:10 . 2007-04-17 02:32 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-07-09 10:10 . 2007-03-07 22:10 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-07-09 10:10 . 2008-04-22 21:16 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-07-09 10:10 . 2008-04-22 21:16 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-07-09 10:10 . 2008-04-22 21:16 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-07-09 10:10 . 2008-04-22 21:16 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2008-07-09 10:10 . 2008-04-22 21:16 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-07-09 10:10 . 2008-04-22 00:39 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-07-09 09:09 . 2008-07-09 09:10 788 --a------ C:\WINDOWS\Active Setup Log.BAK
2008-07-09 08:14 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-07-09 08:14 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-07-08 11:22 . 2008-07-08 11:22 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-07-07 13:20 . 2008-07-07 13:20 <DIR> d-------- C:\Program Files\Alwil Software
2008-07-03 09:54 . 2008-07-03 09:54 <DIR> d-------- C:\Program Files\Abexo
2008-07-03 08:53 . 2008-04-22 00:40 625,664 --------- C:\WINDOWS\system32\dllcache\iexplore.exe
2008-07-02 11:57 . 2008-07-02 11:57 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-02 11:57 . 2008-07-02 14:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-02 11:56 . 2008-07-02 11:49 9,722,720 --a------ C:\spybotsd152.exe
2008-06-30 13:02 . 2008-07-07 13:17 <DIR> d-------- C:\Program Files\Norton AntiVirus
2008-06-30 13:02 . 2008-06-30 13:25 <DIR> d-------- C:\Documents and Settings\Dad and Mom\Application Data\Symantec
2008-06-30 12:43 . 2008-07-07 13:19 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-30 12:43 . 2008-07-07 13:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-27 20:09 . 2008-06-27 20:09 13,942 --a------ C:\WINDOWS\system32\iphone-011.ico
2008-06-27 07:04 . 2008-06-30 13:22 <DIR> d-------- C:\Documents and Settings\Dad and Mom\Application Data\LimeWire
2008-06-27 07:00 . 2008-06-27 07:05 <DIR> d--hs---- C:\Documents and Settings\Dad and Mom\!
2008-06-26 16:24 . 2008-06-27 15:20 <DIR> d-------- C:\Documents and Settings\Zach\Application Data\LimeWire
2008-06-26 16:20 . 2008-06-26 16:28 <DIR> d--hs---- C:\Documents and Settings\Zach\!
2008-06-26 15:17 . 2008-06-26 15:17 9,662 --a------ C:\WINDOWS\system32\pinkip.ico
2008-06-26 10:50 . 2008-07-02 09:14 <DIR> d-------- C:\WINDOWS\system32\xsir
2008-06-26 10:50 . 2008-06-26 10:50 <DIR> d-------- C:\WINDOWS\system32\vec3
2008-06-26 10:50 . 2008-06-27 07:24 <DIR> d-------- C:\WINDOWS\system32\bam
2008-06-26 10:50 . 2008-06-26 12:20 <DIR> d--hs---- C:\Documents and Settings\Marissa\!
2008-06-21 18:57 . 2008-06-28 17:50 <DIR> d-------- C:\Documents and Settings\Marissa\Application Data\LimeWire
2008-06-20 10:46 . 2008-06-20 10:46 245,248 --------- C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 10:46 . 2008-06-20 10:46 147,968 --------- C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 04:51 . 2008-06-20 04:51 361,600 --------- C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 04:40 . 2008-06-20 04:40 138,496 --------- C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 04:08 . 2008-06-20 04:08 225,856 --------- C:\WINDOWS\system32\dllcache\tcpip6.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-09 18:04 --------- d-----w C:\Program Files\MSN Messenger
2008-07-08 23:07 --------- d-----w C:\Program Files\Trend Micro
2008-07-02 16:45 --------- d-----w C:\Program Files\dl_cats
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-14 03:12 --------- d-----w C:\Program Files\iTunes
2008-06-14 03:12 --------- d-----w C:\Program Files\iPod
2008-06-14 03:10 --------- d-----w C:\Program Files\QuickTime
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-12 04:36 --------- d-----w C:\Program Files\Abbyy FineReader 6.0 Sprint
2008-06-12 04:34 5,852 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-06-12 01:15 --------- d-----w C:\Program Files\Dell Photo AIO Printer 966
2008-06-06 15:03 --------- d-----w C:\Program Files\THQ
2008-06-01 02:01 --------- d-----w C:\Documents and Settings\Marissa\Application Data\acccore
2008-06-01 01:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-06-01 01:57 --------- d-----w C:\Program Files\AIM6
2008-06-01 01:56 --------- d-----w C:\Program Files\Viewpoint
2008-06-01 01:56 --------- d-----w C:\Program Files\Common Files\AOL
2008-06-01 01:56 --------- d-----w C:\Program Files\AIM Search
2008-06-01 01:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-06-01 01:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-05-18 02:29 --------- d-----w C:\Program Files\Common Files\Adobe AIR
2008-05-18 02:29 --------- d-----w C:\Program Files\Adobe Media Player
2008-05-09 10:53 90,112 ----a-w C:\WINDOWS\system32\wshext.dll
2008-05-09 10:53 90,112 ------w C:\WINDOWS\system32\dllcache\wshext.dll
2008-05-09 10:53 512,000 ------w C:\WINDOWS\system32\dllcache\jscript.dll
2008-05-09 10:53 430,080 ----a-w C:\WINDOWS\system32\vbscript.dll
2008-05-09 10:53 430,080 ------w C:\WINDOWS\system32\dllcache\vbscript.dll
2008-05-09 10:53 180,224 ----a-w C:\WINDOWS\system32\scrobj.dll
2008-05-09 10:53 180,224 ------w C:\WINDOWS\system32\dllcache\scrobj.dll
2008-05-09 10:53 172,032 ----a-w C:\WINDOWS\system32\scrrun.dll
2008-05-09 10:53 172,032 ------w C:\WINDOWS\system32\dllcache\scrrun.dll
2008-05-08 14:02 203,136 ------w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-08 11:24 155,648 ----a-w C:\WINDOWS\system32\wscript.exe
2008-05-08 11:24 155,648 ------w C:\WINDOWS\system32\dllcache\wscript.exe
2008-05-07 09:07 135,168 ----a-w C:\WINDOWS\system32\cscript.exe
2008-05-07 09:07 135,168 ------w C:\WINDOWS\system32\dllcache\cscript.exe
2008-05-07 05:12 1,288,192 ------w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:12 1,288,192 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-24 05:16 3,591,680 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-04-22 07:39 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-04-20 05:07 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-04-14 12:42 985,088 ----a-w C:\WINDOWS\system32\setupapi.dll
2008-04-14 12:42 11,264 ----a-w C:\WINDOWS\system32\spnpinst.exe
2008-04-14 12:41 423,936 ----a-w C:\WINDOWS\system32\licdll.dll
2008-04-14 00:25 1,804 ----a-w C:\WINDOWS\system32\dcache.bin
2008-04-14 00:16 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe
2008-04-14 00:13 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll
2008-04-14 00:13 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll
2008-04-14 00:13 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll
2008-04-14 00:11 997,376 ----a-w C:\WINDOWS\system32\msgina.dll
2008-04-14 00:10 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll
2008-04-14 00:10 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll
2008-04-14 00:10 3,584 ----a-w C:\WINDOWS\system32\msafd.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\WINDOWS\l2schemas ----

2007-06-08 12:51 5957 --------- C:\WINDOWS\l2schemas\onex_v1.xsd
2007-06-08 12:50 2687 --------- C:\WINDOWS\l2schemas\lan_policy_v1.xsd
2007-06-08 12:50 2241 --------- C:\WINDOWS\l2schemas\lan_profile_v1.xsd
2007-04-02 06:36 789 --------- C:\WINDOWS\l2schemas\eapuserpropertiesv1.xsd
2007-04-02 06:36 752 --------- C:\WINDOWS\l2schemas\eapcommon.xsd
2007-04-02 06:36 648 --------- C:\WINDOWS\l2schemas\baseeapmethodusercredentials.xsd
2007-04-02 06:36 612 --------- C:\WINDOWS\l2schemas\baseeapmethodconfig.xsd
2007-04-02 06:36 3192 --------- C:\WINDOWS\l2schemas\eaptlsconnectionpropertiesv1.xsd
2007-04-02 06:36 2843 --------- C:\WINDOWS\l2schemas\mspeapconnectionpropertiesv1.xsd
2007-04-02 06:36 15263 --------- C:\WINDOWS\l2schemas\wlan_profile_v1.xsd
2007-04-02 06:36 1484 --------- C:\WINDOWS\l2schemas\mspeapuserpropertiesv1.xsd
2007-04-02 06:36 1410 --------- C:\WINDOWS\l2schemas\mschapv2userpropertiesv1.xsd
2007-04-02 06:36 1329 --------- C:\WINDOWS\l2schemas\eaptlsuserpropertiesv1.xsd
2007-04-02 06:36 1271 --------- C:\WINDOWS\l2schemas\mschapv2connectionpropertiesv1.xsd
2007-04-02 06:36 1193 --------- C:\WINDOWS\l2schemas\eaphostusercredentials.xsd
2007-04-02 06:36 1159 --------- C:\WINDOWS\l2schemas\eapconnectionpropertiesv1.xsd
2007-04-02 06:36 1116 --------- C:\WINDOWS\l2schemas\baseeapuserpropertiesv1.xsd
2007-04-02 06:36 1115 --------- C:\WINDOWS\l2schemas\eaphostconfig.xsd
2007-04-02 06:36 1066 --------- C:\WINDOWS\l2schemas\baseeapconnectionpropertiesv1.xsd

---- Directory of C:\WINDOWS\system32\bam ----


---- Directory of C:\WINDOWS\system32\bits ----

2008-04-13 17:12 409088 --------- C:\WINDOWS\system32\bits\qmgr.dll

---- Directory of C:\WINDOWS\system32\en ----

2008-04-13 17:11 6656 --------- C:\WINDOWS\system32\en\mmcfxcommon.resources.dll
2008-04-13 17:11 40960 --------- C:\WINDOWS\system32\en\mmcex.resources.dll
2008-04-13 17:11 28672 --------- C:\WINDOWS\system32\en\microsoft.managementconsole.resources.dll

---- Directory of C:\WINDOWS\system32\scripting ----

2008-02-23 07:40 9728 --------- C:\WINDOWS\system32\scripting\scrrun.dll.mui
2008-02-23 07:40 9216 --------- C:\WINDOWS\system32\scripting\scrobj.dll.mui
2008-02-23 07:40 7168 --------- C:\WINDOWS\system32\scripting\wshom.ocx.mui
2008-02-23 07:40 5632 --------- C:\WINDOWS\system32\scripting\wshext.dll.mui
2008-02-23 07:40 5632 --------- C:\WINDOWS\system32\scripting\msscript.ocx.mui
2008-02-23 07:40 12800 --------- C:\WINDOWS\system32\scripting\jscript.dll.mui
2008-02-23 07:40 11776 --------- C:\WINDOWS\system32\scripting\cscript.exe.mui
2008-02-23 07:40 11264 --------- C:\WINDOWS\system32\scripting\vbscript.dll.mui
2008-02-23 07:40 10240 --------- C:\WINDOWS\system32\scripting\wscript.exe.mui

---- Directory of C:\WINDOWS\system32\vec3 ----


---- Directory of C:\WINDOWS\system32\xsir ----



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2006-07-16 20:29 389120]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 17:12 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-10 23:09 68856]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 06:15 151552]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 04:20 122940]
"MemoryCardManager"="C:\Program Files\Dell Photo AIO Printer 966\memcard.exe" [2006-06-27 04:34 299008]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-16 07:39 7323648]
"dlcqmon.exe"="C:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exe" [2006-06-20 10:37 286720]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 09:20 282624 C:\WINDOWS\stsystra.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-13 17:12 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-10-31 14:56:41 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKLM\~\startupfolder\C:^Documents and Settings^Dad and Mom^Start Menu^Programs^Startup^Deewoo.lnk]
backup=C:\WINDOWS\pss\Deewoo.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Dad and Mom^Start Menu^Programs^Startup^DW_Start.lnk]
backup=C:\WINDOWS\pss\DW_Start.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00a2373c
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM039104a0
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{23-37-79-93-DW}

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\dlcqcoms.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 16:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 16:16]
R2 dlcq_device;dlcq_device;C:\WINDOWS\system32\dlcqcoms.exe [2006-07-13 14:27]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 14:38]

.
Contents of the 'Scheduled Tasks' folder
"2008-07-13 05:29:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-14 22:48:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-14 15:38:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-14 15:48:15
ComboFix-quarantined-files.txt 2008-07-14 22:48:12
ComboFix2.txt 2008-07-14 18:51:14

Pre-Run: 216,457,912,320 bytes free
Post-Run: 216,440,442,880 bytes free

242 --- E O F --- 2008-07-11 10:01:13

******************************************************************************************************************************************************************************

HIJACKTHIS

******************************************************************************************************************************************************************************


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:55:40 PM, on 7/14/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\dlcqcoms.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5061031
R3 - URLSearchHook: (no name) - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [MemoryCardManager] C:\Program Files\Dell Photo AIO Printer 966\memcard.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [dlcqmon.exe] "C:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1168723584823
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1215539304140
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab53083.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.31.5/ttinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlcq_device - - C:\WINDOWS\system32\dlcqcoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9279 bytes


******************************************************************************************************************************************************************************

Malwarebytes' Anti-Malware 1.20

******************************************************************************************************************************************************************************


Malwarebytes' Anti-Malware 1.20
Database version: 949
Windows 5.1.2600 Service Pack 3

4:37:15 PM 7/14/2008
mbam-log-7-14-2008 (16-37-15).txt

Scan type: Full Scan (C:\|)
Objects scanned: 245036
Time elapsed: 37 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\bam (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vec3 (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xsir (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Zach\Local Settings\Application Data\GDIPFONTCACHEV1.DAT (Rogue.SpywareDestructor) -> Quarantined and deleted successfully.
C:\Documents and Settings\Marissa\Local Settings\Application Data\GDIPFONTCACHEV1.DAT (Rogue.SpywareDestructor) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dad and Mom\Local Settings\Application Data\GDIPFONTCACHEV1.DAT (Rogue.SpywareDestructor) -> Quarantined and deleted successfully.
C:\Documents and Settings\Zach\Start Menu\Programs\Startup\DW_Start.lnk (Malware.Links) -> Quarantined and deleted successfully.
C:\Documents and Settings\Zach\Start Menu\Programs\Startup\Deewoo.lnk (Malware.Links) -> Quarantined and deleted successfully.


******************************************************************************************************************************************************************************


What do think the current prognosis might be?


Thanks again for the help,


Mike

shelf life
2008-07-15, 04:12
hi,

i think the prognosis is good. malwarebytes removed some items. lets do a online scan also here:

ESET online scanner:

http://www.eset.com/onlinescan/

uses Internet Explorer only
check "YES" to accept terms
click start button
allow the ActiveX component to install
click the start button. the Scanner will update.
check both "Remove found threats" and "Scan unwanted applications"
click scan
when done you can find the scan log at:C:\Program Files\EsetOnlineScanner\log.txt
please copy/paste that log in next reply.

mike_biscup
2008-07-15, 22:13
I think the scan came up good. The log is posted below.

I have a couple of questions. The different fix and log programs that we have been running seem to have turned off my antivirus which if AVAST. I don’t know if this is a good program ... do you have recommendations for actual names of antivirus, spyware, malware, adware, firewall .... programs that should be installed and running?

I had Trend Micro PCcillin (sp) when I got into this mess but it might jave been out of date although not by much.

Thanks for any information you might be able to pass on ... and for the help you have already given

LOG:

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3269 (20080715)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=3d21e2a03be3664ebc626d6b8daf4dd3
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-07-15 06:48:40
# local_time=2008-07-15 11:48:40 (-0800, Pacific Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=490099
# found=0
# scan_time=3542

shelf life
2008-07-16, 02:40
hi mike_biscup,

looks good.


have turned off my antivirus is the notice its off from the windows security center? sometimes malware can change this. do you see the Avast! icon in the system tray, can you scan and update it ok? if so then its not really turned off.

I don’t know if this is a good program
nothing wrong with Avast! for a antivirus scanner. the malware you had is beyond any antivirus i know. even some malware scanners as you see, have a hard time with it. I can suggest some other free anitvirus if you want.


spyware, malware, adware these are all called "malware" and for them you need a antimalware app. you have ad aware, spybot and now malwarebytes. the free version of malwarebytes dosnt have a auto update feature, so always check for updates before scanning with it, even if you dont scan often- check for updates just to keep it updated. three anitmalware apps is enough. keep them updated.

its not about software really-- having the core security apps is important but if you know a little about how you can get malware in the first place and try to avoid those things, you will be ahead of the game. the majority of people install the initial malware themselves. no software can think for you.

firewalls:
zone alarm has a free version, pctools has a free version, comodo firewall is free, sunbelt has a free firewall.

i like questions. once you are all set we can finish up.

mike_biscup
2008-07-16, 20:44
Hello again, I seem to be mostly running ok ... but I do have a lingering symptom that has only shown up after the infection and the subsequent repair attempts . I cannot seem to utilize shortcuts to ie7. Neither old shortcuts nor newly created ones function properly. The ie window will begin to open ... the outline of it will appear ... but then it will hang saying "connecting ... " I loaded firefox and, if i change the default browser to firefox, the links work but ie doesn't.

I saw something on a forum thread about posting a hijack log to have someone try to see why this might happen and thought that since you have one ... perhaps you might be able to see something.

Does this sound like anyhthing you might know about?

Thanks,

Mike

shelf life
2008-07-17, 00:25
hi mike_biscup,

you can try this:

go to start>run and type in the box:

regsvr32 urlmon.dll

click ok