HJT log [Archive] - Safer-Networking Forums

View Full Version : HJT log

gbusch

2009-05-01, 22:54

I have malware that blocks the use of spybot, and hijacks my IE browser. Here is my HJT log. Thanks.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:17:33 PM, on 5/1/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16830)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\BellSouthWCC\McciTrayApp.exe
C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: AT&&T Toolbar - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AT&&T Toolbar - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\ProgramData\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini"
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [%PROVIDERID%] "bin\sprtcmd.exe" /P %PROVIDERID%
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ATT_WCC] C:\Program Files\BellSouthWCC\McciTrayApp.exe
O4 - HKLM\..\Run: [BellSouthWCC_McciTrayApp] C:\Program Files\BellSouthWCC\McciTrayApp.exe
O4 - HKLM\..\Run: [ISW.exe] "C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" /AUTORUN
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{7CBFEDA0-D57E-4F81-A14E-712D2D7A1EEA}: NameServer = 85.255.112.201,85.255.112.144
O17 - HKLM\System\CCS\Services\Tcpip\..\{B65194AE-680F-43E2-85B5-D7DE1F3C62E3}: NameServer = 85.255.112.201,85.255.112.144
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.201,85.255.112.144
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.201,85.255.112.144
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.201,85.255.112.144
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 11833 bytes

ken545

2009-05-02, 03:08

Hello gbusch

Welcome to Safer Networking.

Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at your own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.

Please download Malwarebytes' Anti-Malware from Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) or Here (http://www.besttechie.net/tools/mbam-setup.exe)

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.<-- Don't forget this
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply along with a New Hijackthis log.

gbusch

2009-05-02, 15:04

The malware removal program installs, but will not run in any mode - safe or at command prompt.

ken545

2009-05-02, 15:58

Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Then right click on it and rename it to Combo-Fix.exe

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.

Double click on Combo-Fix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

gbusch

2009-05-02, 22:35

Here is the ComboFix log:

ComboFix 09-05-02.4 - Gary 05/02/2009 16:17.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1022.178 [GMT -4:00]
Running from: c:\users\Gary\Desktop\Combo-Fix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
c:\recycler\S-3-0-36-100000894-100028508-100025189-1935.com
c:\users\Gary\AppData\Roaming\AntiSpywareDAT
c:\users\Gary\AppData\Roaming\AntiSpywareDAT\BlockedCookies.dat
c:\users\Gary\AppData\Roaming\AntiSpywareDAT\date.dat
c:\users\Gary\AppData\Roaming\AntiSpywareDAT\DirectoryDefinition.dat
c:\users\Gary\AppData\Roaming\AntiSpywareDAT\ENoSignature.dat
c:\users\Gary\AppData\Roaming\AntiSpywareDAT\ExeDefinition.dat
c:\users\Gary\AppData\Roaming\AntiSpywareDAT\FileDefinition.dat
c:\users\Gary\AppData\Roaming\AntiSpywareDAT\RegistryDefinition.dat
c:\users\Gary\AppData\Roaming\AntiSpywareDAT\Safety.dat
c:\users\Gary\AppData\Roaming\AntiSpywareDAT\Scan_Log.txt
c:\users\Gary\Documents\My Documents.url
c:\windows\system32\drivers\gxvxcdcquckdgymamrweylcugphjoealltjem.sys
c:\windows\system32\gxvxccounter
c:\windows\system32\gxvxcjrdwvotjwcyjcrjwxiineafbywajyhdd.dll
c:\windows\system32\Memman.vxd
c:\windows\system32\skinboxer43.dll
D:\Autorun.inf
d:\recycler\S-3-0-36-100000894-100028508-100025189-1935.com
d:\recycler\S-6-5-52-100010376-100021543-100020274-5889.com

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_GXVXCSERV.SYS

((((((((((((((((((((((((( Files Created from 2009-04-02 to 2009-05-02 )))))))))))))))))))))))))))))))
.

2009-05-01 20:30 . 2009-05-01 20:30 -------- d-----w c:\program files\ERUNT
2009-05-01 19:17 . 2009-05-01 19:17 -------- d-----w c:\program files\Trend Micro
2009-04-27 13:08 . 2009-04-27 13:08 -------- d-----w c:\program files\Security Scanner Full
2009-04-26 14:38 . 2009-05-02 12:49 -------- dc----w c:\windows\system32\DRVSTORE
2009-04-26 14:38 . 2009-05-02 12:49 -------- dc-h--w c:\programdata\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-04-26 14:38 . 2009-05-02 12:49 -------- dc-h--w c:\users\All Users\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-04-26 14:38 . 2009-04-26 14:38 -------- d-----w c:\program files\Lavasoft
2009-04-26 14:38 . 2009-05-02 12:49 -------- d-----w c:\programdata\Lavasoft
2009-04-26 14:38 . 2009-05-02 12:49 -------- d-----w c:\users\All Users\Lavasoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-02 20:15 . 2006-11-02 13:01 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-05-02 13:00 . 2009-05-02 13:00 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-02 12:55 . 2009-01-10 19:44 31776 ----a-w c:\users\All Users\nvModes.dat
2009-05-02 12:55 . 2009-01-10 19:44 31776 ----a-w c:\programdata\nvModes.dat
2009-04-27 14:38 . 2009-04-26 14:39 472 ----a-w c:\windows\Tasks\Ad-Aware Update (Weekly).job
2009-04-26 14:05 . 2008-10-24 10:49 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-16 07:15 . 2006-11-02 11:18 -------- d-----w c:\program files\Windows Mail
2009-04-06 19:32 . 2009-05-02 13:00 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2009-05-02 13:00 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-21 02:26 . 2007-11-01 17:05 680 ----a-w c:\users\Gary\AppData\Local\d3d9caps.dat
2009-03-17 03:16 . 2009-04-15 12:49 40960 ----a-w c:\windows\AppPatch\apihex86.dll
2009-03-17 03:16 . 2009-04-15 12:49 14848 ----a-w c:\windows\system32\apilogen.dll
2009-03-17 03:16 . 2009-04-15 12:49 25600 ----a-w c:\windows\system32\amxread.dll
2009-03-03 04:24 . 2009-04-15 12:49 3503584 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-03-03 04:24 . 2009-04-15 12:49 3469280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-03-03 04:20 . 2009-04-15 12:49 826368 ----a-w c:\windows\system32\wininet.dll
2009-03-03 04:19 . 2009-04-15 12:49 158720 ----a-w c:\windows\system32\sdohlp.dll
2009-03-03 04:19 . 2009-04-15 12:49 549888 ----a-w c:\windows\system32\rpcss.dll
2009-03-03 04:19 . 2009-04-15 12:49 24576 ----a-w c:\windows\system32\printfilterpipelineprxy.dll
2009-03-03 04:16 . 2009-04-15 12:49 56320 ----a-w c:\windows\system32\iesetup.dll
2009-03-03 04:16 . 2009-04-15 12:49 97280 ----a-w c:\windows\system32\iasrecst.dll
2009-03-03 04:16 . 2009-04-15 12:49 53248 ----a-w c:\windows\system32\iasads.dll
2009-03-03 04:16 . 2009-04-15 12:49 37888 ----a-w c:\windows\system32\iasdatastore.dll
2009-03-03 04:16 . 2009-04-15 12:49 78336 ----a-w c:\windows\system32\ieencode.dll
2009-03-03 04:16 . 2009-04-15 12:49 52736 ----a-w c:\windows\AppPatch\iebrshim.dll
2009-03-03 04:15 . 2009-04-15 12:49 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-03 02:40 . 2009-04-15 12:49 654336 ----a-w c:\windows\system32\printfilterpipelinesvc.exe
2009-03-03 02:08 . 2009-04-15 12:49 26624 ----a-w c:\windows\system32\ieUnatt.exe
2009-03-03 00:44 . 2009-04-15 12:49 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-02-13 07:26 . 2009-04-15 12:49 72704 ----a-w c:\windows\system32\secur32.dll
2009-02-13 07:26 . 2009-04-15 12:49 1233408 ----a-w c:\windows\system32\lsasrv.dll
2009-02-13 07:26 . 2009-04-15 12:49 7680 ----a-w c:\windows\system32\lsass.exe
2009-02-09 01:59 . 2009-03-11 12:01 2028032 ----a-w c:\windows\system32\win32k.sys
2009-02-06 15:48 . 2007-10-09 20:44 106376 ----a-w c:\users\Gary\AppData\Local\GDIPFONTCACHEV1.DAT
2009-02-06 15:41 . 2006-11-02 10:25 86016 ----a-w c:\windows\inf\infstor.dat
2009-02-06 15:41 . 2006-11-02 10:25 51200 ----a-w c:\windows\inf\infpub.dat
2009-02-06 15:41 . 2006-11-02 10:25 86016 ----a-w c:\windows\inf\infstrng.dat
2009-02-06 15:36 . 2009-02-06 15:36 50 ----a-w c:\windows\system32\bridf08a.dat
2008-12-13 08:22 . 2006-11-02 12:50 174 --sha-w c:\program files\desktop.ini
2007-10-05 05:03 . 2007-10-05 04:55 8192 --sha-w c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-25 17920]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-04-18 159744]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-08-06 29744]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-09-07 405504]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-29 583048]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-08 13601312]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-08 92704]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2008-12-08 96800]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-12 29984]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-12 46368]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2008-02-19 1089536]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-12-21 86016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-01-06 286720]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"ATT_WCC"="c:\program files\BellSouthWCC\McciTrayApp.exe" [2007-12-04 1474048]
"BellSouthWCC_McciTrayApp"="c:\program files\BellSouthWCC\McciTrayApp.exe" [2007-12-04 1474048]
"ISW.exe"="c:\program files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 2061816]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]

c:\users\Gary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-10-4 50688]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2007-7-20 1180952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{9C353A64-28BD-49F3-A5BE-72C1425059E4}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{A4DBD0C0-3401-4412-ADCB-67A404CCE5E9}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{BBE942B5-A632-400E-A8A7-D99702B4B951}"= c:\program files\Dell\MediaDirect\PowerCinema.exe:CyberLink PowerCinema
"{C45A3777-E224-4BF1-B0A6-612B2174AE3D}"= c:\program files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"{FC16A3E1-7BFD-48F1-9CF7-DF67A2CA0DCB}"= c:\program files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{69D6DEBD-4EC9-4416-9ACC-6A4E32071CE4}"= c:\program files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"TCP Query User{1EB0FB56-18B6-40B4-AF4B-9019299BAE12}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{4835EB41-BB96-4ABE-A296-6CB218AD68CE}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{BE17C7E3-B635-4481-BF0C-E57BD5C555F3}c:\\program files\\rhapsody\\rhapsody.exe"= UDP:c:\program files\rhapsody\rhapsody.exe:RealNetworks Rhapsody
"UDP Query User{AA8557A1-F750-4AB7-B1AA-09B3F138E7EA}c:\\program files\\rhapsody\\rhapsody.exe"= TCP:c:\program files\rhapsody\rhapsody.exe:RealNetworks Rhapsody
"{EF016ED5-74AC-45C3-8443-F3C8A4CFD794}"= UDP:c:\program files\ATT-HSI\McciBrowser.exe:motivebrowser.exe
"{C4BCDAFA-AFDB-416E-889B-F7490CC92AC6}"= TCP:c:\program files\ATT-HSI\McciBrowser.exe:motivebrowser.exe
"TCP Query User{893B31D9-F6EE-4F75-A74B-4DEDA10AD81D}c:\\program files\\rhapsody\\rhapsody.exe"= UDP:c:\program files\rhapsody\rhapsody.exe:RealNetworks Rhapsody
"UDP Query User{300EDC67-4DA0-4893-AD9D-A4041333DB30}c:\\program files\\rhapsody\\rhapsody.exe"= TCP:c:\program files\rhapsody\rhapsody.exe:RealNetworks Rhapsody
"TCP Query User{744BCC23-D9B9-4B55-BAAE-6533CD07B6F9}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{3ED9B609-1B8B-44E6-AE98-B1131A87806B}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-08-06 29744]
R3 WCG200BVistaI386;Linksys WCG200 Wireless-G Cable Gateway(B);c:\windows\system32\DRIVERS\WCG200BVistaI386.sys [2006-12-22 15872]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2007-08-29 73728]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\shell\AutoRun\command - f:\wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9b97442d-7a4c-11dc-9113-001c23a13395}]
\shell\AutoRun\command - f:\wd_windows_tools\setup.exe
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-%PROVIDERID% - bin\sprtcmd.exe

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-02 16:22
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\users\Gary\AppData\Local\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_USERS\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-05-02 16:23
ComboFix-quarantined-files.txt 2009-05-02 20:23

Pre-Run: 99,282,534,400 bytes free
Post-Run: 99,598,880,768 bytes free

203 --- E O F --- 2009-04-24 11:38

Here is the new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:17:33 PM, on 5/1/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16830)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\BellSouthWCC\McciTrayApp.exe
C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: AT&&T Toolbar - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AT&&T Toolbar - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\ProgramData\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini"
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [%PROVIDERID%] "bin\sprtcmd.exe" /P %PROVIDERID%
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ATT_WCC] C:\Program Files\BellSouthWCC\McciTrayApp.exe
O4 - HKLM\..\Run: [BellSouthWCC_McciTrayApp] C:\Program Files\BellSouthWCC\McciTrayApp.exe
O4 - HKLM\..\Run: [ISW.exe] "C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" /AUTORUN
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{7CBFEDA0-D57E-4F81-A14E-712D2D7A1EEA}: NameServer = 85.255.112.201,85.255.112.144
O17 - HKLM\System\CCS\Services\Tcpip\..\{B65194AE-680F-43E2-85B5-D7DE1F3C62E3}: NameServer = 85.255.112.201,85.255.112.144
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.201,85.255.112.144
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.201,85.255.112.144
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.201,85.255.112.144
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 11833 bytes

ken545

2009-05-03, 01:56

Looks like you had a Rootkit infection , you should be able to run Malwarebytes now, so follow my instructions and run it.

Then run this program and post the log.

Download GMER's application from here:
http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

Post the Malwarebytes log, the GMER log and a New HJT log please

ken545

2009-05-10, 11:34

If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a new HijackThis log with a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.