PDA

View Full Version : Vitrumonde



jackfrost1031
2008-12-05, 08:38
This thing is a pain. PC-Cillan spotted it yet it could not remove it. Keep popping up ads and annoying me.

Here is a HJT logfile:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:33:17 AM, on 12-5-2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Winamp Remote\bin\orbtray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twext.exe,
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Dell Network Assistant.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1220669728937
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: szewut.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7542 bytes

Baabiouz
2008-12-05, 09:16
Hi :)

We will begin with ComboFix. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.


Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

Rename HiJackThis
There is some infection hiding in your log.
Using Windows Explore by right-clicking the Start button and left clicking Explore navigate to: C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Right-click on HijackThis.exe & select Rename to
Rename to something like jackfrost1031.exe
Double click on jackfrost1031.exe to run the program then post back a new Hijackthis log.

Please post Combofix log and a fresh Hijackthis log (jackfrost1031.exe) back here :)

jackfrost1031
2008-12-05, 11:57
Still sluggish loading anything but here are my new log files:

Thanks!

ComboFix 08-12-04.04 - Zach 2008-12-05 4:16:51.1 - NTFSx86
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\Application Data\twain_32
c:\documents and settings\LocalService\Application Data\twain_32\user.ds
c:\recycler\ADAPT_Installer.exe
c:\windows\system32\awtuTKbC.dll
c:\windows\system32\CbKTutwa.ini
c:\windows\system32\CbKTutwa.ini2
c:\windows\system32\lyodrtis.ini
c:\windows\system32\MSYyHggh.ini
c:\windows\system32\MSYyHggh.ini2
c:\windows\system32\sitrdoyl.dll
c:\windows\system32\szewut.dll
c:\windows\system32\twain_32
c:\windows\system32\twain_32\local.ds
c:\windows\system32\twain_32\user.ds
c:\windows\system32\twext.exe
c:\windows\system32\ysnkjqlo.ini
c:\windows\system32\yydxderq.dll
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PACKET
-------\Service_Packet


((((((((((((((((((((((((( Files Created from 2008-11-05 to 2008-12-05 )))))))))))))))))))))))))))))))
.

2008-12-03 23:11 . 2008-12-03 23:11 <DIR> d-------- c:\program files\Winamp Toolbar
2008-12-03 23:11 . 2008-12-03 23:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Winamp Toolbar
2008-12-03 23:10 . 2008-12-05 03:27 <DIR> d-------- c:\program files\Winamp Remote
2008-12-03 23:10 . 2008-12-03 23:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\OrbNetworks
2008-12-03 23:08 . 2008-12-03 23:12 <DIR> d-------- c:\program files\Winamp
2008-12-03 23:08 . 2008-12-04 01:59 <DIR> d-------- c:\documents and settings\Zach\Application Data\Winamp
2008-12-03 16:02 . 2008-12-03 16:02 <DIR> d-------- C:\VundoFix Backups
2008-12-02 23:16 . 2008-12-02 23:20 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-02 23:16 . 2008-12-03 19:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-02 20:31 . 2008-12-02 20:31 25,600 --a------ c:\windows\system32\byXqoNFw.dll
2008-12-01 03:26 . 2008-12-01 03:26 <DIR> d-------- c:\program files\Rosetta Stone
2008-12-01 03:06 . 2008-12-01 03:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\FLEXnet
2008-12-01 03:00 . 2008-12-01 03:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\RosettaStoneLtdBackup
2008-12-01 02:30 . 2008-12-01 02:30 <DIR> d-------- c:\program files\Abexo
2008-12-01 02:21 . 2008-12-01 02:21 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2008-12-01 02:20 . 2008-12-03 23:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\Rosetta Stone
2008-12-01 02:12 . 2008-12-01 02:12 <DIR> d-------- c:\program files\DAEMON Tools Lite
2008-12-01 02:08 . 2008-12-01 02:08 <DIR> d-------- c:\documents and settings\Zach\Application Data\DAEMON Tools
2008-12-01 02:08 . 2008-12-01 02:08 717,296 --a------ c:\windows\system32\drivers\sptd.sys
2008-11-17 10:39 . 2008-11-17 10:40 <DIR> d-------- c:\program files\DownloadToolz
2008-11-14 15:59 . 2008-11-14 15:59 <DIR> d-------- c:\documents and settings\Zach\Application Data\CyberLink
2008-11-12 15:52 . 2008-09-04 12:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 15:52 . 2008-10-24 06:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-10 00:01 . 2008-09-19 16:57 129,784 --a------ c:\windows\system32\pxafs.dll
2008-11-10 00:01 . 2008-09-19 16:57 120,056 --a------ c:\windows\system32\pxcpyi64.exe
2008-11-10 00:01 . 2008-09-19 16:57 118,520 --a------ c:\windows\system32\pxinsi64.exe
2008-11-10 00:01 . 2008-09-19 16:57 9,464 --------- c:\windows\system32\drivers\cdralw2k.sys
2008-11-10 00:01 . 2008-09-19 16:57 9,336 --------- c:\windows\system32\drivers\cdr4_xp.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-05 09:42 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-05 07:03 --------- d-----w c:\documents and settings\Zach\Application Data\Skype
2008-12-04 05:04 --------- d-----w c:\documents and settings\Zach\Application Data\skypePM
2008-12-04 02:03 --------- d-----w c:\documents and settings\Zach\Application Data\uTorrent
2008-12-03 21:14 --------- d-----w c:\program files\Trend Micro
2008-12-01 08:25 --------- d-----w c:\program files\Xvid
2008-12-01 08:12 --------- d-----w c:\program files\Microsoft Works
2008-12-01 07:21 --------- d-----w c:\program files\RGB
2008-12-01 07:21 --------- d-----w c:\program files\Modem Helper
2008-12-01 07:21 --------- d-----w c:\program files\DivX
2008-11-25 02:35 --------- d-----w c:\documents and settings\Zach\Application Data\DivX
2008-11-19 05:17 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-18 01:10 --------- d-----w c:\documents and settings\Zach\Application Data\Move Networks
2008-11-01 19:43 --------- d-----w c:\program files\Mnemosyne
2008-10-30 22:40 --------- d-----w c:\documents and settings\Zach\Application Data\Saba
2008-10-30 22:38 --------- d-----w c:\documents and settings\Zach\Application Data\Centra
2008-10-30 22:33 --------- d-----w c:\program files\Centra
2008-10-30 19:58 --------- d-----w c:\program files\MSBuild
2008-10-30 19:57 --------- d-----w c:\program files\Microsoft.NET
2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx0c.dll
2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx07.dll
2008-10-28 22:35 815,104 ----a-w c:\windows\system32\divx_xx0a.dll
2008-10-28 22:35 802,816 ----a-w c:\windows\system32\divx_xx11.dll
2008-10-28 22:35 684,032 ----a-w c:\windows\system32\DivX.dll
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-15 21:52 --------- d-----w c:\program files\Tracker Software
2008-10-15 16:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-14 00:02 --------- d-----w c:\program files\Gabest
2008-10-13 20:16 --------- d-----w c:\program files\FLV Player
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-25 08:03 81,920 ----a-w c:\windows\system32\dpl100.dll
2008-09-25 08:03 593,920 ----a-w c:\windows\system32\dpuGUI11.dll
2008-09-25 08:03 57,344 ----a-w c:\windows\system32\dpv11.dll
2008-09-25 08:03 53,248 ----a-w c:\windows\system32\dpuGUI10.dll
2008-09-25 08:03 524,288 ----a-w c:\windows\system32\DivXsm.exe
2008-09-25 08:03 344,064 ----a-w c:\windows\system32\dpus11.dll
2008-09-25 08:03 294,912 ----a-w c:\windows\system32\dpu11.dll
2008-09-25 08:03 294,912 ----a-w c:\windows\system32\dpu10.dll
2008-09-25 08:03 196,608 ----a-w c:\windows\system32\dtu100.dll
2008-09-25 08:03 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe
2008-09-25 02:58 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2008-09-19 21:57 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll
2008-09-19 21:55 200,704 ----a-w c:\windows\system32\ssldivx.dll
2008-09-19 21:55 1,044,480 ----a-w c:\windows\system32\libdivx.dll
2008-09-19 21:54 12,288 ----a-w c:\windows\system32\DivXWMPExtType.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-15 12:12 1,846,400 ------w c:\windows\system32\dllcache\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\dllcache\msxml6.dll
2008-09-08 10:41 333,824 ------w c:\windows\system32\dllcache\srv.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A63E645F-13BD-45ED-B15F-6E8C1BD57279}]
2008-12-02 20:31 25600 --a------ c:\windows\system32\byXqoNFw.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [2006-08-04 321040]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]
"Orb"="c:\program files\Winamp Remote\bin\OrbTray.exe" [2008-03-31 507904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-22 1392640]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2006-11-21 1807960]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-24 622653]
Dell Network Assistant.lnk - c:\windows\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2008-09-04 7168]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-09-04 24576]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{A63E645F-13BD-45ED-B15F-6E8C1BD57279}"= "c:\windows\system32\byXqoNFw.dll" [2008-12-02 25600]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byXqoNFw]
2008-12-02 20:31 25600 c:\windows\system32\byXqoNFw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=szewut.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"54260:TCP"= 54260:TCP:mutorr
"<NO NAME>"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [2007-11-08 345696]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [2007-11-08 923216]
R2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2007-11-08 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [2007-11-08 566872]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\DRIVERS\TM_CFW.sys [2007-11-08 280392]
.
- - - - ORPHANS REMOVED - - - -

BHO-{3EE30C9C-E85D-4C1C-BDC2-B5B32F6BEF99} - c:\windows\system32\hggHyYSM.dll
BHO-{a5391dbe-134f-49a3-8326-8d6158e9569c} - c:\windows\system32\szewut.dll
BHO-{FB80F473-A71E-49E0-A35F-CB29EE08999C} - c:\windows\system32\awtuTKbC.dll
HKLM-Run-WinampAgent - c:\program files\Winamp\winampa.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dell.com
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FireFox -: Profile - c:\documents and settings\Zach\Application Data\Mozilla\Firefox\Profiles\03ajinkp.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/ig
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPCentraUpdater.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-05 04:36:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1788)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
c:\windows\system32\byXqoNFw.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Dell Network Assistant\hnm_svc.exe
c:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe
c:\windows\system32\ati2evxx.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
c:\program files\WIDCOMM\Bluetooth Software\BTStackServer.exe
c:\progra~1\TRENDM~1\INTERN~1\TSC.EXE
.
**************************************************************************
.
Completion time: 2008-12-05 4:50:14 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-05 09:50:04

Pre-Run: 80,949,841,920 bytes free
Post-Run: 81,122,344,960 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

267 --- E O F --- 2008-11-13 16:18:51


[B]
HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:55:20 AM, on 12-5-2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\jf1031.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tsc.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {A63E645F-13BD-45ED-B15F-6E8C1BD57279} - C:\WINDOWS\system32\byXqoNFw.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Dell Network Assistant.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1220669728937
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: szewut.dll
O20 - Winlogon Notify: byXqoNFw - C:\WINDOWS\SYSTEM32\byXqoNFw.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7426 bytes

Baabiouz
2008-12-05, 13:09
Hi

Step #1
Please click your Start button then Click on Run and type in the following without the quotes: "notepad" Then copy (Ctrl C) and paste (Ctrl V) the following text in the quotebox,

File::
c:\windows\system32\byXqoNFw.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A63E645F-13BD-45ED-B15F-6E8C1BD57279}]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{A63E645F-13BD-45ED-B15F-6E8C1BD57279}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byXqoNFw]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""


Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Step #2
Please download ATF-cleaner (http://www.atribune.org/ccount/click.php?id=1) and save it to your desktop.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser:

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser:

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Step #3
Malwarebytes' Anti-Malware
Download Malwarebytes' Anti-Malware here (http://www.besttechie.net/tools/mbam-setup.exe) and save to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware
Then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please copy and paste the log back into your next reply
Note:
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Or via the Logs tab when Malwarebytes' Anti-Malware is started.

Step #4
Please post Combofix log, Mbam results and a fresh HijackThis log back here :)
How's your pc working now?

jackfrost1031
2008-12-06, 00:36
The link to Malwareytes download you gave isn't working. I got a copy off of Download.com, version 1.31. If that isn't acceptable let me know.

I'm about to run the other things.

jackfrost1031
2008-12-06, 01:21
PC is running faster.

Also, can I use HJT to disable some of the programs that run at startup? IE: Groove, MSN Messenger, and some other fluff?

jackfrost1031
2008-12-06, 07:28
D'oh, forgot my log files:

Combofix:

ComboFix 08-12-05.02 - Zach 2008-12-05 17:54:50.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1360 [GMT -5:00]
Running from: c:\documents and settings\Zach\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Zach\Desktop\CFScript.txt

FILE ::
c:\windows\system32\byXqoNFw.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\byXqoNFw.dll

.
((((((((((((((((((((((((( Files Created from 2008-11-05 to 2008-12-05 )))))))))))))))))))))))))))))))
.

2008-12-03 23:11 . 2008-12-03 23:11 <DIR> d-------- c:\program files\Winamp Toolbar
2008-12-03 23:11 . 2008-12-03 23:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Winamp Toolbar
2008-12-03 23:10 . 2008-12-05 03:27 <DIR> d-------- c:\program files\Winamp Remote
2008-12-03 23:10 . 2008-12-03 23:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\OrbNetworks
2008-12-03 23:08 . 2008-12-03 23:12 <DIR> d-------- c:\program files\Winamp
2008-12-03 23:08 . 2008-12-04 01:59 <DIR> d-------- c:\documents and settings\Zach\Application Data\Winamp
2008-12-02 23:16 . 2008-12-02 23:20 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-02 23:16 . 2008-12-03 19:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-01 03:26 . 2008-12-01 03:26 <DIR> d-------- c:\program files\Rosetta Stone
2008-12-01 03:06 . 2008-12-01 03:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\FLEXnet
2008-12-01 03:00 . 2008-12-01 03:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\RosettaStoneLtdBackup
2008-12-01 02:30 . 2008-12-01 02:30 <DIR> d-------- c:\program files\Abexo
2008-12-01 02:21 . 2008-12-01 02:21 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2008-12-01 02:20 . 2008-12-03 23:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\Rosetta Stone
2008-12-01 02:12 . 2008-12-01 02:12 <DIR> d-------- c:\program files\DAEMON Tools Lite
2008-12-01 02:08 . 2008-12-01 02:08 <DIR> d-------- c:\documents and settings\Zach\Application Data\DAEMON Tools
2008-12-01 02:08 . 2008-12-01 02:08 717,296 --a------ c:\windows\system32\drivers\sptd.sys
2008-11-17 10:39 . 2008-11-17 10:40 <DIR> d-------- c:\program files\DownloadToolz
2008-11-14 15:59 . 2008-11-14 15:59 <DIR> d-------- c:\documents and settings\Zach\Application Data\CyberLink
2008-11-12 15:52 . 2008-09-04 12:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 15:52 . 2008-10-24 06:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-10 00:01 . 2008-09-19 16:57 129,784 --a------ c:\windows\system32\pxafs.dll
2008-11-10 00:01 . 2008-09-19 16:57 120,056 --a------ c:\windows\system32\pxcpyi64.exe
2008-11-10 00:01 . 2008-09-19 16:57 118,520 --a------ c:\windows\system32\pxinsi64.exe
2008-11-10 00:01 . 2008-09-19 16:57 9,464 --------- c:\windows\system32\drivers\cdralw2k.sys
2008-11-10 00:01 . 2008-09-19 16:57 9,336 --------- c:\windows\system32\drivers\cdr4_xp.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-05 09:42 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-05 07:03 --------- d-----w c:\documents and settings\Zach\Application Data\Skype
2008-12-04 05:04 --------- d-----w c:\documents and settings\Zach\Application Data\skypePM
2008-12-04 02:03 --------- d-----w c:\documents and settings\Zach\Application Data\uTorrent
2008-12-03 21:14 --------- d-----w c:\program files\Trend Micro
2008-12-01 08:25 --------- d-----w c:\program files\Xvid
2008-12-01 08:12 --------- d-----w c:\program files\Microsoft Works
2008-12-01 07:21 --------- d-----w c:\program files\RGB
2008-12-01 07:21 --------- d-----w c:\program files\Modem Helper
2008-12-01 07:21 --------- d-----w c:\program files\DivX
2008-11-25 02:35 --------- d-----w c:\documents and settings\Zach\Application Data\DivX
2008-11-19 05:17 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-18 01:10 --------- d-----w c:\documents and settings\Zach\Application Data\Move Networks
2008-11-01 19:43 --------- d-----w c:\program files\Mnemosyne
2008-10-30 22:40 --------- d-----w c:\documents and settings\Zach\Application Data\Saba
2008-10-30 22:38 --------- d-----w c:\documents and settings\Zach\Application Data\Centra
2008-10-30 22:33 --------- d-----w c:\program files\Centra
2008-10-30 19:58 --------- d-----w c:\program files\MSBuild
2008-10-30 19:57 --------- d-----w c:\program files\Microsoft.NET
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-15 21:52 --------- d-----w c:\program files\Tracker Software
2008-10-14 00:02 --------- d-----w c:\program files\Gabest
2008-10-13 20:16 --------- d-----w c:\program files\FLV Player
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [2006-08-04 321040]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]
"Orb"="c:\program files\Winamp Remote\bin\OrbTray.exe" [2008-03-31 507904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-22 1392640]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2006-11-21 1807960]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-24 622653]
Dell Network Assistant.lnk - c:\windows\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2008-09-04 7168]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-09-04 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"54260:TCP"= 54260:TCP:mutorr
"<NO NAME>"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2007-11-08 36368]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\DRIVERS\TM_CFW.sys [2007-11-08 280392]
S2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [2007-11-08 345696]
S2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [2007-11-08 923216]
S2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [2007-11-08 566872]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dell.com
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FireFox -: Profile - c:\documents and settings\Zach\Application Data\Mozilla\Firefox\Profiles\03ajinkp.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/ig
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPCentraUpdater.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-05 18:06:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1772)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Dell Network Assistant\hnm_svc.exe
c:\windows\system32\ati2evxx.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
.
**************************************************************************
.
Completion time: 2008-12-05 18:10:08 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-05 23:10:05
ComboFix2.txt 2008-12-05 09:50:20

Pre-Run: 81,063,976,960 bytes free
Post-Run: 81,057,849,344 bytes free

183 --- E O F --- 2008-11-13 16:18:51


MalwareBytes:

Malwarebytes' Anti-Malware 1.31
Database version: 1464
Windows 5.1.2600 Service Pack 3

12-6-2008 12:25:27 AM
mbam-log-2008-12-06 (00-25-27).txt

Scan type: Full Scan (C:\|)
Objects scanned: 184356
Time elapsed: 1 hour(s), 10 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)


Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\awtuTKbC.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\byXqoNFw.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\sitrdoyl.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\szewut.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\yydxderq.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP85\A0017208.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP85\A0017210.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP85\A0017265.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP86\A0017301.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP87\A0017367.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP87\A0017371.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP87\A0017374.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP87\A0017375.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP87\A0017377.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP88\A0017485.dll (Trojan.Vundo) -> Quarantined and deleted successfully.


HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:26:43 AM, on 12-6-2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\jf1031.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Dell Network Assistant.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1220669728937
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7261 bytes

Baabiouz
2008-12-06, 09:57
Hi

Well done :)

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update: Download the latest version of Java Runtime Environment (JRE) (http://java.sun.com/javase/downloads/index.jsp) and save it to your desktop.
Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 7...allows end-users to run Java applications".
Click the "Download" button to the right.
Select your Platform: "Windows".
Select your Language: "Multi-language".
Read the License Agreement, and then check the box that says: "Accept License Agreement".
Click Continue and the page will refresh.
Click on the link to download Windows Offline Installation and save the file to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs (http://www.bleepingcomputer.com/forums/topic42133.html) and remove all older versions of Java.
Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u7-windows-i586-p.exe to install the newest version.

To Clear the Java Runtime Environment (JRE) cache, do this:
Click Start > Settings > Control Panel.
Double-click the Java icon.
-The Java Control Panel appears.
Click "Settings" under Temporary Internet Files.
-The Temporary Files Settings dialog box appears.
Click "Delete Files".
-The Delete Temporary Files dialog box appears.
-There are three options on this window to clear the cache.
Delete Files
View Applications
View Applets

Click "OK" on Delete Temporary Files window.
-Note: This deletes all the Downloaded Applications and Applets from the cache.
Click "OK" on Temporary Files Settings window.
Close the Java Control Panel.
You can also view these instructions along with screenshots here (http://www.java.com/en/download/help/5000020300.xml).
__________________

StartUpLite is a lightweight and simple to use application that allows you to speed up your system startup. --> StartUpLite (http://www.malwarebytes.org/startuplite.php)

Please post a fresh Hijackthis log here :)

jackfrost1031
2008-12-06, 11:34
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:32:57 AM, on 12-6-2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\msiexec.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\HijackThis\jf1031.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1220669728937
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7373 bytes


Seems clean. I really appreciate the help! Also I did the startup clean you suggested. Load times are down a little which is always nice.

Baabiouz
2008-12-06, 16:41
Hi

Looks clean, great job! :)

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Next we remove all used tools.

Please download OTCleanIt (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe) and save it to desktop.

Double-click OTCleanIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.


Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

Disable and Enable System Restore. - If you are using Windows XP or Vista then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)

Re-enable system restore with instructions from tutorial above

Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialize and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install Malwarebytes' Anti-Malware - Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
totally free but for real-time protection you will have to pay a small one-time fee. Tutorial on installing & using this product can be found below:

Malwarebytes' Anti-Malware Setup Guide (http://www.bfccomputers.com/forum/index.php?showtopic=1644)

Malwarebytes' Anti-Malware Scanning Guide (http://www.bfccomputers.com/forum/index.php?showtopic=1645)

Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)

Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://castlecops.com/postlite7736-.html)

Happy surfing and stay clean!