Malware/Trojan problems continuing

[ninjakb]

Hi everyone,
I was hoping NOT to have to contact you.
It appears that I have ALSO been infected by *multiple* Trojans from VUNDO to Virtumonde. (they appear to be creating themselves though. I am NOT virus/trojan savvy so I am not sure what is going on with this).

There is a bit of history with this problem and I *thought* I had it cleared but to no avail. Here are the overall steps that I have taken already:

1) 3 weeks ago the laptop computer would not boot up. It would only get to "Loading PBR...done". It would not start in safe mode and would not boot from the XP Pro CD. I thought I had a dead drive. It is only 2 years old and I was pretty upset. I ran the system scans through F12 on startup to discover bad sectors on the drive.

2) Long story, short... I connected the laptop HD to the desktop machine, ran multiple scans (Symantec, Spybot, HijackThis and others) to discover a boatload of problems/Trojans (41?) on the HD. (I can list them if you like). I cleaned the drive, put it back in the laptop and was finally able to boot the machine - but only in safe mode (but no internet access).

3) I am simplifying an exhausting process and realize I should have just contacted you guys FIRST!!!! :-(

4) I have run hours of scans on the laptop and it *appears* to be clear but there are still problems. The problems are as follows:
- I can still only start in safe mode, but now have internet access.
- I had it so the laptop would boot all the way to the desktop, but could not click on anything. The screen was locked even though I could move the mouse around. The taskbar icons wouldn't load and if I put my cursor over the taskbar, it would turn into the hourglass. I had to do a hard restart and use F8 to get it running. I attempted to put a shortcut of systray.exe in my startup folder but that only worked for 1 restart.
- currently I cannot get the laptop to boot unless in safe mode. I get a black screen. I DID do a REPAIR reinstall of the XP PRO operating system. Related?
- I *cannot* run Kaspersky. It will not run an online scan - I get a message that the online scan has expired? I cannot install it either - message is something like administrator (me) has it set to not allow installs? Sorry for not giving exact wording.
- I have run HijackThis and have removed some items in the past that appeared to be related to the infection. I was pretty careful to leave anything that I wasn't ABSOLUTELY sure about. Hopefully i did not inadvertently do something stupid. But this possibility exists.
- I also removed the original offending file. It wasn't caught until DEEP into several scans but I found the BAD utorrent file that I downloaded that started all of this. :-( IT has been removed.

I have probably done TOO much on my own but thought that I could handle this after reading all the related posts on your forum. I was so excited to know that I didn't lose ALL of my data due to a bad drive that I started cleaning.

Anyway, here is the current HijackThis log. I would appreciate any and all help you can offer. THANK YOU SO MUCH in advance for your help.
Karen

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:20:12 PM, on 3/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Dell PC Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [dlcxmon.exe] "C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 926\memcard.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe" -s
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB8968] command /c del "C:\WINDOWS\wt\WDInUsePlugin.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1769] cmd /c del "C:\WINDOWS\wt\WDInUsePlugin.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2048] command /c del "C:\WINDOWS\wt\webdriver.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2969] cmd /c del "C:\WINDOWS\wt\webdriver.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1842] command /c del "C:\WINDOWS\wt\info.txt"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6318] cmd /c del "C:\WINDOWS\wt\info.txt"
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Shortcut to systray.lnk = C:\WINDOWS\system32\systray.exe
O4 - Global Startup: WD Backup Monitor.lnk = C:\Program Files\My Book\WD Backup\uBBMonitor.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.5.1.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase370.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1154751377421
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_activex/en-US/TSEasyInstallX.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab53083.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlcx_device - - C:\WINDOWS\system32\dlcxcoms.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: PsExec (PSEXESVC) - Sysinternals - C:\WINDOWS\PSEXESVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sony SCSI Helper Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Venturi2 Client (Venturi2) - Fourelle Systems, Inc - C:\Program Files\Venturi2\Client\ventc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 11809 bytes

Just thought of this.
The other strange thing that continues to occur:

Internet Explorer 'appears' as an icon on my desktop after restart. For seemingly no reason.

In general I use Firefox. The only time I have opened IE is to do an online Kaspersky scan - which didn't work. And I have never kept IE's icon on the desktop. It doesn't appear to be a shortcut either. But I have the regular IE program in my program files folder in the C: drive.

One other note - in my efforts to get my taskbar working correctly -- during the restart that WORKED when I copied the shortcut to systray.exe in the startup folder -- I right clicked on the taskbar -- went to properties and it locked up giving me an error saying 'end now' or 'cancel' explorer.exe.

 

[little eagle]

Download ComboFix from Here or Here to your Desktop.

In the event you already have Combofix, this is a new version that I need you to download.
It must be saved directly to your desktop.


1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

• Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
• Remember to re enable the protection again afterwards before connecting to the net

2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.

• IF you have not already done so Combofix will disconnect your machine from the Internet when it starts.
• If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

3. Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review


Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.

 

[ninjakb]

ran combofix and hjt

Hi Little Eagle!
Thank you for your help. I did as you asked and ran each program. I do believe I had the same version of Combofix but I deleted it anyway and reinstalled from the location you gave me. Here is EXACTLY what I did:
one side note - my date is wrong on the computer so the properties of the logfile may look like Saturday March 8th. Is this a leap year thing? Is there a fix? and also for DST? I didn't realize that it would be an issue.
Anyway -
- I installed new Combofix version. I restarted in safe mode (I can't run regular mode) without networking and made sure nothing antivirus was running.
- I ran Combofix as per site instructions, dropping the Windows XP Pro icon onto it. Then ran Combofix to get a log. I noticed as it was running that it said that 'the system cannot find the file AWF'.
- after closing combofix, there was no longer any desktop icons. Only the words 'safe mode' were in all 4 corners and the headline of 'windows XP' info. So I restarted in safe mode without networking again. I then ran HJT.
- After saving the file, I restarted in safe mode WITH networking so I could send you these files.

OK, so here goes:

Combofix Log from the C: drive:
ComboFix 08-03-07.1 - Administrator 2008-03-08 15:21:23.2 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.775 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMcf2e9f25.xml
C:\WINDOWS\pskt.ini

.
((((((((((((((((((((((((( Files Created from 2008-02-08 to 2008-03-08 )))))))))))))))))))))))))))))))
.

2008-03-08 15:07 . 2008-03-08 15:07 <DIR> d-------- C:\ComboFix(2)
2008-03-01 22:38 . 2008-03-01 22:38 <DIR> d-------- C:\Deckard
2008-03-01 21:42 . 2008-03-02 12:02 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-03-01 21:34 . 2008-03-01 21:34 <DIR> d-------- C:\Program Files\Safer Networking
2008-03-01 19:49 . 2008-03-01 19:49 <DIR> d-------- C:\Documents and Settings\Dr. Karen\DoctorWeb
2008-02-29 17:24 . 2005-10-14 21:45 135,168 --a------ C:\WINDOWS\system32\igfxres.dll
2008-02-29 16:10 . 2004-08-04 05:00 482,304 --a--c--- C:\WINDOWS\system32\dllcache\pintlgnt.ime
2008-02-29 16:09 . 2004-08-04 05:00 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-02-29 16:08 . 2004-08-04 05:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-02-29 16:07 . 2004-08-04 05:00 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\smtpsnap.dll
2008-02-29 16:06 . 2004-08-04 05:00 290,816 --a--c--- C:\WINDOWS\system32\dllcache\adsiis51.dll
2008-02-29 16:03 . 2008-02-29 16:03 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-02-29 16:03 . 2008-02-29 16:03 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-02-29 16:03 . 2008-02-29 16:03 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-02-29 16:03 . 2008-02-29 16:03 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
2008-02-29 16:03 . 2008-02-29 16:03 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-02-29 16:03 . 2008-02-29 16:03 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-02-29 16:02 . 2004-08-04 05:00 16,384 --a--c--- C:\WINDOWS\system32\dllcache\isignup.exe
2008-02-29 10:06 . 2008-02-29 10:06 <DIR> d-------- C:\WINDOWS\dell
2008-02-28 23:05 . 2008-02-28 23:07 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-02-28 23:05 . 2008-02-29 00:36 19,755 --a------ C:\WINDOWS\setupapi.old
2008-02-25 00:25 . 2008-02-25 00:25 <DIR> d-------- C:\Documents and Settings\Dr. Karen\Application Data\Grisoft
2008-02-24 20:11 . 2008-03-04 18:37 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-02-24 19:39 . 2008-02-24 19:39 <DIR> d-------- C:\kav
2008-02-24 19:16 . 2008-02-25 13:49 4,376 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-24 19:01 . 2008-02-24 19:01 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-02-24 19:00 . 2008-02-24 19:11 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-02-24 18:18 . 2008-02-24 18:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-24 15:51 . 2008-02-24 15:51 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-02-24 15:44 . 2008-02-24 15:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-24 15:44 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-24 14:03 . 2008-02-24 19:45 <DIR> d-------- C:\VundoFix Backups
2008-02-22 23:29 . 2008-02-22 23:29 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-02-21 17:10 . 2008-02-21 17:10 <DIR> d-------- C:\Program Files\Alwil Software
2008-02-21 17:10 . 2007-12-04 08:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-02-21 17:10 . 2007-12-04 07:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-02-21 17:10 . 2007-12-04 09:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-02-21 17:10 . 2007-12-04 09:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-02-21 17:10 . 2007-12-04 09:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-02-21 17:10 . 2007-12-04 09:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-02-21 17:10 . 2007-12-04 09:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-04 21:37 8,456,224 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-03-02 18:19 --------- d-----w C:\Program Files\Trend Micro
2008-03-02 17:52 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-02 17:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-02 17:06 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-29 21:14 99,716 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-21 17:17 --------- d-----w C:\Documents and Settings\Dr. Karen\Application Data\Tunebite
2008-01-29 19:55 2,796,032 ----a-w C:\WINDOWS\Internet Logs\xDB13.tmp
2008-01-29 05:04 --------- d-----w C:\Program Files\uTorrent
2008-01-29 04:55 --------- d-----w C:\Documents and Settings\Dr. Karen\Application Data\uTorrent
2008-01-29 04:39 --------- d-----w C:\Program Files\PixiePack Codec Pack
2008-01-29 04:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\RapidSolution
2008-01-29 04:34 --------- d-----w C:\Program Files\RapidSolution
2008-01-29 04:23 --------- d-----w C:\Program Files\Sagasoft
2008-01-29 04:22 --------- d-----w C:\Program Files\MP3 Recorder XP
2008-01-28 04:04 25,600 ----a-w C:\Documents and Settings\Dr. Karen\usbsermptxp.sys
2008-01-28 04:04 22,768 ----a-w C:\WINDOWS\system32\drivers\usbsermpt.sys
2008-01-28 04:04 22,768 ----a-w C:\Documents and Settings\Dr. Karen\usbsermpt.sys
2008-01-28 03:11 --------- d-----w C:\Program Files\BitPim
2008-01-22 03:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-01-21 05:13 --------- d-----w C:\Program Files\ABC Amber LIT Converter
2008-01-20 16:09 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\Intel
2008-01-20 01:53 --------- d-----w C:\Program Files\Microsoft Reader
2008-01-20 00:04 --------- d-----w C:\Program Files\MagicDisc
2008-01-17 05:25 --------- d-----w C:\Program Files\iTunes
2008-01-17 05:25 --------- d-----w C:\Program Files\iPod
2008-01-17 05:23 --------- d-----w C:\Program Files\Bonjour
2008-01-17 05:22 --------- d-----w C:\Program Files\QuickTime
2008-01-12 17:31 --------- d-----w C:\Program Files\Dl_cats
2007-12-26 04:38 7,518 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-11-28 05:01 94,416 ----a-w C:\Documents and Settings\Dr. Karen\Application Data\GDIPFONTCACHEV1.DAT
2007-10-28 01:47 2,410,496 ----a-w C:\WINDOWS\Internet Logs\xDB12.tmp
2007-08-22 15:18 26,024,817 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2007-04-04 23:53 1,931,264 ----a-w C:\WINDOWS\Internet Logs\xDB11.tmp
2006-11-15 18:01 92,064 ----a-w C:\Documents and Settings\Dr. Karen\mqdmmdm.sys
2006-11-15 18:01 9,232 ----a-w C:\Documents and Settings\Dr. Karen\mqdmmdfl.sys
2006-11-15 18:01 79,328 ----a-w C:\Documents and Settings\Dr. Karen\mqdmserd.sys
2006-11-15 18:01 66,656 ----a-w C:\Documents and Settings\Dr. Karen\mqdmbus.sys
2006-11-15 18:01 6,208 ----a-w C:\Documents and Settings\Dr. Karen\mqdmcmnt.sys
2006-11-15 18:01 5,936 ----a-w C:\Documents and Settings\Dr. Karen\mqdmwhnt.sys
2006-11-15 18:01 4,048 ----a-w C:\Documents and Settings\Dr. Karen\mqdmcr.sys
2006-11-09 17:51 1,319,936 ----a-w C:\WINDOWS\Internet Logs\xDB10.tmp
2006-11-03 16:47 1,304,576 ----a-w C:\WINDOWS\Internet Logs\xDBF.tmp
2006-10-16 04:47 1,233,920 ----a-w C:\WINDOWS\Internet Logs\xDBE.tmp
2006-10-14 06:00 1,214,464 ----a-w C:\WINDOWS\Internet Logs\xDBD.tmp
2006-10-13 22:09 1,814,528 ----a-w C:\WINDOWS\Internet Logs\xDBB.tmp
2006-10-13 22:06 1,814,528 ----a-w C:\WINDOWS\Internet Logs\xDBC.tmp
2006-09-15 03:06 0 ---ha-w C:\Program Files\AppUpdate.log
2006-08-12 04:24 1,656,320 ----a-w C:\WINDOWS\Internet Logs\xDBA.tmp
2006-08-01 19:38 2,223,616 ----a-w C:\WINDOWS\Internet Logs\xDB9.tmp
2006-07-31 01:18 1,567,744 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp
2006-07-31 01:17 1,978,368 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2006-07-28 00:46 1,566,208 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2006-07-20 07:45 3,849,728 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2006-07-04 02:19 1,501,184 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2006-07-03 23:48 1,500,160 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2006-06-27 00:03 1,348,608 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2006-04-26 02:33 1,164,800 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2007-11-26 23:56 88 --sha-r C:\WINDOWS\system32\DF3A8A2786.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2007-12-19 14:34 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= "C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL" [2007-12-19 14:34 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2005-05-15 03:04 332800]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2006-04-11 19:39 176201]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingB8968"="command /c del C:\WINDOWS\wt\WDInUsePlugin.dll" [ ]
"SpybotDeletingD1769"="cmd /c del C:\WINDOWS\wt\WDInUsePlugin.dll" [ ]
"SpybotDeletingB2048"="command /c del C:\WINDOWS\wt\webdriver.dll" [ ]
"SpybotDeletingD2969"="cmd /c del C:\WINDOWS\wt\webdriver.dll" [ ]
"SpybotDeletingB1842"="command /c del C:\WINDOWS\wt\info.txt" [ ]
"SpybotDeletingD6318"="cmd /c del C:\WINDOWS\wt\info.txt" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 15:59 385024]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 11:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44 81920]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe" [2005-09-08 20:20 8192]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 17:30 823362]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 04:33 122941]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\Quickset.exe" [2005-09-01 18:24 684032]
"WD Button Manager"="WDBtnMgr.exe" [2007-04-03 11:47 339968 C:\WINDOWS\system32\WDBtnMgr.exe]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2004-05-21 18:11 221184]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2004-06-01 10:09 458752]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2004-06-01 10:03 217088]
"FaxCenterServer"="C:\Program Files\Dell PC Fax\fm3032.exe" [2006-11-03 17:09 312200]
"dlcxmon.exe"="C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe" [2007-01-12 11:57 292336]
"MemoryCardManager"="C:\Program Files\Dell Photo AIO Printer 926\memcard.exe" [2006-11-03 17:04 304008]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"TomTomHOME.exe"="C:\Program Files\TomTom HOME 2\HOMERunner.exe" [2007-10-31 10:19 378784]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 21:49 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 21:46 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 21:50 114688]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 07:13 176128]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-02-07 23:39 171448]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-02-20 12:41:34 24576]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-04-16 22:22:11 450560]
Shortcut to systray.lnk - C:\WINDOWS\system32\systray.exe [2004-08-04 05:00:00 3072]
WD Backup Monitor.lnk - C:\Program Files\My Book\WD Backup\uBBMonitor.exe [2007-04-03 11:48:13 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 17:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2005-05-15 03:04 332800 C:\Program Files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2006-02-20 12:53 169472 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\msncall.exe"=
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"=
"C:\\WINDOWS\\system32\\dlcxcoms.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"C:\\Program Files\\Yahoo!\\UPnP\\yupnpsrv.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020

R0 ntcdrdrv;ntcdrdrv;C:\WINDOWS\system32\DRIVERS\ntcdrdrv.sys [2007-05-11 09:16]
S2 dlcx_device;dlcx_device;C:\WINDOWS\system32\dlcxcoms.exe [2006-10-11 16:48]
S2 SampleScanner;e+ 48U Scanner;C:\WINDOWS\system32\DRIVERS\Artec48.sys [2001-06-07 16:56]
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys [2007-10-10 16:41]
S3 SndTDriverV32;SndTDriverV32;C:\WINDOWS\system32\drivers\SndTDriverV32.sys [2006-09-22 15:33]
S3 zsi_fmw;Sansa Connect Firmware Recovery;C:\WINDOWS\system32\Drivers\zsi_fmw.sys []
S4 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{621FCD24-4498-4324-A81E-07D331376EDF}]
C:\Program Files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-01-14 19:24:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-08 15:26:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-08 15:28:01
ComboFix-quarantined-files.txt 2008-03-08 20:27:35
ComboFix2.txt 2008-03-02 00:11:39
.
2008-03-04 21:34:47 --- E O F ---

 

[ninjakb]

continued-hjt log

************************************
Here is the HJT log:
************************************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:33:34 PM, on 3/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Dell PC Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [dlcxmon.exe] "C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 926\memcard.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe" -s
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB8968] command /c del "C:\WINDOWS\wt\WDInUsePlugin.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1769] cmd /c del "C:\WINDOWS\wt\WDInUsePlugin.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2048] command /c del "C:\WINDOWS\wt\webdriver.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2969] cmd /c del "C:\WINDOWS\wt\webdriver.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1842] command /c del "C:\WINDOWS\wt\info.txt"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6318] cmd /c del "C:\WINDOWS\wt\info.txt"
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Shortcut to systray.lnk = C:\WINDOWS\system32\systray.exe
O4 - Global Startup: WD Backup Monitor.lnk = C:\Program Files\My Book\WD Backup\uBBMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.5.1.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase370.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1154751377421
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_activex/en-US/TSEasyInstallX.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab53083.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlcx_device - - C:\WINDOWS\system32\dlcxcoms.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sony SCSI Helper Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Venturi2 Client (Venturi2) - Fourelle Systems, Inc - C:\Program Files\Venturi2\Client\ventc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 11499 bytes

 

[little eagle]

Download and run - ATF Cleaner instructions here.

---------------------------------------------

Open notepad and copy/paste the text in the codebox below into it:

File::
C:\WINDOWS\system32\DF3A8A2786.sys

Save this as Save this as "CFScript"

Referring to the picture above, drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.

 

[ninjakb]

New Combofix Log

Hi Little Eagle,
I ran new logs as per instructions. I apologize for making two posts, but both logs do not fit in one post.
Karen


ComboFix 08-03-07.1 - Administrator 2008-03-08 21:31:20.3 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.767 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFscript.txt
.

((((((((((((((((((((((((( Files Created from 2008-02-09 to 2008-03-09 )))))))))))))))))))))))))))))))
.

2008-03-08 15:07 . 2008-03-08 15:07 <DIR> d-------- C:\ComboFix(2)
2008-03-01 22:38 . 2008-03-01 22:38 <DIR> d-------- C:\Deckard
2008-03-01 21:42 . 2008-03-02 12:02 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-03-01 21:34 . 2008-03-01 21:34 <DIR> d-------- C:\Program Files\Safer Networking
2008-03-01 19:49 . 2008-03-01 19:49 <DIR> d-------- C:\Documents and Settings\Dr. Karen\DoctorWeb
2008-02-29 17:24 . 2005-10-14 21:45 135,168 --a------ C:\WINDOWS\system32\igfxres.dll
2008-02-29 16:10 . 2004-08-04 05:00 482,304 --a--c--- C:\WINDOWS\system32\dllcache\pintlgnt.ime
2008-02-29 16:09 . 2004-08-04 05:00 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-02-29 16:08 . 2004-08-04 05:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-02-29 16:07 . 2004-08-04 05:00 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\smtpsnap.dll
2008-02-29 16:06 . 2004-08-04 05:00 290,816 --a--c--- C:\WINDOWS\system32\dllcache\adsiis51.dll
2008-02-29 16:03 . 2008-02-29 16:03 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-02-29 16:03 . 2008-02-29 16:03 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-02-29 16:03 . 2008-02-29 16:03 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-02-29 16:03 . 2008-02-29 16:03 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
2008-02-29 16:03 . 2008-02-29 16:03 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-02-29 16:03 . 2008-02-29 16:03 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-02-29 16:02 . 2004-08-04 05:00 16,384 --a--c--- C:\WINDOWS\system32\dllcache\isignup.exe
2008-02-29 10:06 . 2008-02-29 10:06 <DIR> d-------- C:\WINDOWS\dell
2008-02-28 23:05 . 2008-02-28 23:07 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-02-28 23:05 . 2008-02-29 00:36 19,755 --a------ C:\WINDOWS\setupapi.old
2008-02-25 00:25 . 2008-02-25 00:25 <DIR> d-------- C:\Documents and Settings\Dr. Karen\Application Data\Grisoft
2008-02-24 20:11 . 2008-03-04 18:37 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-02-24 19:39 . 2008-02-24 19:39 <DIR> d-------- C:\kav
2008-02-24 19:16 . 2008-02-25 13:49 4,376 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-24 19:01 . 2008-02-24 19:01 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-02-24 19:00 . 2008-02-24 19:11 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-02-24 18:18 . 2008-02-24 18:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-24 15:51 . 2008-02-24 15:51 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-02-24 15:44 . 2008-02-24 15:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-24 15:44 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-24 14:03 . 2008-02-24 19:45 <DIR> d-------- C:\VundoFix Backups
2008-02-22 23:29 . 2008-02-22 23:29 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-02-21 17:10 . 2008-02-21 17:10 <DIR> d-------- C:\Program Files\Alwil Software
2008-02-21 17:10 . 2007-12-04 08:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-02-21 17:10 . 2007-12-04 07:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-02-21 17:10 . 2007-12-04 09:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-02-21 17:10 . 2007-12-04 09:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-02-21 17:10 . 2007-12-04 09:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-02-21 17:10 . 2007-12-04 09:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-02-21 17:10 . 2007-12-04 09:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-04 21:37 8,456,224 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-03-02 18:19 --------- d-----w C:\Program Files\Trend Micro
2008-03-02 17:52 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-02 17:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-02 17:06 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-29 21:14 99,716 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-21 17:17 --------- d-----w C:\Documents and Settings\Dr. Karen\Application Data\Tunebite
2008-01-29 19:55 2,796,032 ----a-w C:\WINDOWS\Internet Logs\xDB13.tmp
2008-01-29 05:04 --------- d-----w C:\Program Files\uTorrent
2008-01-29 04:55 --------- d-----w C:\Documents and Settings\Dr. Karen\Application Data\uTorrent
2008-01-29 04:39 --------- d-----w C:\Program Files\PixiePack Codec Pack
2008-01-29 04:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\RapidSolution
2008-01-29 04:34 --------- d-----w C:\Program Files\RapidSolution
2008-01-29 04:23 --------- d-----w C:\Program Files\Sagasoft
2008-01-29 04:22 --------- d-----w C:\Program Files\MP3 Recorder XP
2008-01-28 04:04 25,600 ----a-w C:\Documents and Settings\Dr. Karen\usbsermptxp.sys
2008-01-28 04:04 22,768 ----a-w C:\WINDOWS\system32\drivers\usbsermpt.sys
2008-01-28 04:04 22,768 ----a-w C:\Documents and Settings\Dr. Karen\usbsermpt.sys
2008-01-28 03:11 --------- d-----w C:\Program Files\BitPim
2008-01-22 03:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-01-21 05:13 --------- d-----w C:\Program Files\ABC Amber LIT Converter
2008-01-20 16:09 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\Intel
2008-01-20 01:53 --------- d-----w C:\Program Files\Microsoft Reader
2008-01-20 00:04 --------- d-----w C:\Program Files\MagicDisc
2008-01-17 05:25 --------- d-----w C:\Program Files\iTunes
2008-01-17 05:25 --------- d-----w C:\Program Files\iPod
2008-01-17 05:23 --------- d-----w C:\Program Files\Bonjour
2008-01-17 05:22 --------- d-----w C:\Program Files\QuickTime
2008-01-12 17:31 --------- d-----w C:\Program Files\Dl_cats
2007-12-26 04:38 7,518 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-11-28 05:01 94,416 ----a-w C:\Documents and Settings\Dr. Karen\Application Data\GDIPFONTCACHEV1.DAT
2007-10-28 01:47 2,410,496 ----a-w C:\WINDOWS\Internet Logs\xDB12.tmp
2007-08-22 15:18 26,024,817 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2007-04-04 23:53 1,931,264 ----a-w C:\WINDOWS\Internet Logs\xDB11.tmp
2006-11-15 18:01 92,064 ----a-w C:\Documents and Settings\Dr. Karen\mqdmmdm.sys
2006-11-15 18:01 9,232 ----a-w C:\Documents and Settings\Dr. Karen\mqdmmdfl.sys
2006-11-15 18:01 79,328 ----a-w C:\Documents and Settings\Dr. Karen\mqdmserd.sys
2006-11-15 18:01 66,656 ----a-w C:\Documents and Settings\Dr. Karen\mqdmbus.sys
2006-11-15 18:01 6,208 ----a-w C:\Documents and Settings\Dr. Karen\mqdmcmnt.sys
2006-11-15 18:01 5,936 ----a-w C:\Documents and Settings\Dr. Karen\mqdmwhnt.sys
2006-11-15 18:01 4,048 ----a-w C:\Documents and Settings\Dr. Karen\mqdmcr.sys
2006-11-09 17:51 1,319,936 ----a-w C:\WINDOWS\Internet Logs\xDB10.tmp
2006-11-03 16:47 1,304,576 ----a-w C:\WINDOWS\Internet Logs\xDBF.tmp
2006-10-16 04:47 1,233,920 ----a-w C:\WINDOWS\Internet Logs\xDBE.tmp
2006-10-14 06:00 1,214,464 ----a-w C:\WINDOWS\Internet Logs\xDBD.tmp
2006-10-13 22:09 1,814,528 ----a-w C:\WINDOWS\Internet Logs\xDBB.tmp
2006-10-13 22:06 1,814,528 ----a-w C:\WINDOWS\Internet Logs\xDBC.tmp
2006-09-15 03:06 0 ---ha-w C:\Program Files\AppUpdate.log
2006-08-12 04:24 1,656,320 ----a-w C:\WINDOWS\Internet Logs\xDBA.tmp
2006-08-01 19:38 2,223,616 ----a-w C:\WINDOWS\Internet Logs\xDB9.tmp
2006-07-31 01:18 1,567,744 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp
2006-07-31 01:17 1,978,368 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2006-07-28 00:46 1,566,208 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2006-07-20 07:45 3,849,728 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2006-07-04 02:19 1,501,184 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2006-07-03 23:48 1,500,160 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2006-06-27 00:03 1,348,608 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2006-04-26 02:33 1,164,800 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2007-11-26 23:56 88 --sha-r C:\WINDOWS\system32\DF3A8A2786.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2007-12-19 14:34 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= "C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL" [2007-12-19 14:34 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2005-05-15 03:04 332800]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2006-04-11 19:39 176201]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingB8968"="command /c del C:\WINDOWS\wt\WDInUsePlugin.dll" [ ]
"SpybotDeletingD1769"="cmd /c del C:\WINDOWS\wt\WDInUsePlugin.dll" [ ]
"SpybotDeletingB2048"="command /c del C:\WINDOWS\wt\webdriver.dll" [ ]
"SpybotDeletingD2969"="cmd /c del C:\WINDOWS\wt\webdriver.dll" [ ]
"SpybotDeletingB1842"="command /c del C:\WINDOWS\wt\info.txt" [ ]
"SpybotDeletingD6318"="cmd /c del C:\WINDOWS\wt\info.txt" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 15:59 385024]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 11:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44 81920]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe" [2005-09-08 20:20 8192]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 17:30 823362]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 04:33 122941]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\Quickset.exe" [2005-09-01 18:24 684032]
"WD Button Manager"="WDBtnMgr.exe" [2007-04-03 11:47 339968 C:\WINDOWS\system32\WDBtnMgr.exe]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2004-05-21 18:11 221184]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2004-06-01 10:09 458752]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2004-06-01 10:03 217088]
"FaxCenterServer"="C:\Program Files\Dell PC Fax\fm3032.exe" [2006-11-03 17:09 312200]
"dlcxmon.exe"="C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe" [2007-01-12 11:57 292336]
"MemoryCardManager"="C:\Program Files\Dell Photo AIO Printer 926\memcard.exe" [2006-11-03 17:04 304008]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"TomTomHOME.exe"="C:\Program Files\TomTom HOME 2\HOMERunner.exe" [2007-10-31 10:19 378784]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 21:49 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 21:46 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 21:50 114688]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 07:13 176128]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-02-07 23:39 171448]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-02-20 12:41:34 24576]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-04-16 22:22:11 450560]
Shortcut to systray.lnk - C:\WINDOWS\system32\systray.exe [2004-08-04 05:00:00 3072]
WD Backup Monitor.lnk - C:\Program Files\My Book\WD Backup\uBBMonitor.exe [2007-04-03 11:48:13 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 17:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2005-05-15 03:04 332800 C:\Program Files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2006-02-20 12:53 169472 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\msncall.exe"=
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"=
"C:\\WINDOWS\\system32\\dlcxcoms.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"C:\\Program Files\\Yahoo!\\UPnP\\yupnpsrv.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020

R0 ntcdrdrv;ntcdrdrv;C:\WINDOWS\system32\DRIVERS\ntcdrdrv.sys [2007-05-11 09:16]
S2 dlcx_device;dlcx_device;C:\WINDOWS\system32\dlcxcoms.exe [2006-10-11 16:48]
S2 SampleScanner;e+ 48U Scanner;C:\WINDOWS\system32\DRIVERS\Artec48.sys [2001-06-07 16:56]
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys [2007-10-10 16:41]
S3 SndTDriverV32;SndTDriverV32;C:\WINDOWS\system32\drivers\SndTDriverV32.sys [2006-09-22 15:33]
S3 zsi_fmw;Sansa Connect Firmware Recovery;C:\WINDOWS\system32\Drivers\zsi_fmw.sys []
S4 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{621FCD24-4498-4324-A81E-07D331376EDF}]
C:\Program Files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-01-14 19:24:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-08 21:36:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-08 21:37:59
ComboFix-quarantined-files.txt 2008-03-09 02:37:46
ComboFix2.txt 2008-03-08 20:28:02
ComboFix3.txt 2008-03-02 00:11:39
.
2008-03-04 21:34:47 --- E O F ---

 

[ninjakb]

New HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:39:54 PM, on 3/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Dell PC Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [dlcxmon.exe] "C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 926\memcard.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe" -s
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB8968] command /c del "C:\WINDOWS\wt\WDInUsePlugin.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1769] cmd /c del "C:\WINDOWS\wt\WDInUsePlugin.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2048] command /c del "C:\WINDOWS\wt\webdriver.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2969] cmd /c del "C:\WINDOWS\wt\webdriver.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1842] command /c del "C:\WINDOWS\wt\info.txt"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6318] cmd /c del "C:\WINDOWS\wt\info.txt"
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Shortcut to systray.lnk = C:\WINDOWS\system32\systray.exe
O4 - Global Startup: WD Backup Monitor.lnk = C:\Program Files\My Book\WD Backup\uBBMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.5.1.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase370.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1154751377421
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_activex/en-US/TSEasyInstallX.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab53083.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlcx_device - - C:\WINDOWS\system32\dlcxcoms.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sony SCSI Helper Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Venturi2 Client (Venturi2) - Fourelle Systems, Inc - C:\Program Files\Venturi2\Client\ventc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 11577 bytes

 

[little eagle]

Run this online scan from ESET

You will need to use Internet explorer for this scan!

• First, accept the Terms of Use
• Click: Start
• When asked, allow the ActiveX control to install
• Click: Start
• Make sure the options:
  Remove found threats, and Scan unwanted applications
  are both checked!
• Click: Scan

When the scan finishes, use Notepad to open the ESET report.
It will be located here C:\Program Files\EsetOnlineScanner\log.txt

 

[ninjakb]

ESET scan

Hi Little Eagle,
Here is the log file from ESET:

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2931 (20080307)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=16cc5a206444ac4cbec2008b435ea244
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-03-09 04:46:05
# local_time=2008-03-08 11:46:05 (-0500, Eastern Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=426496
# found=0
# scan_time=4460


Just in case you need it, here is the debuglog too:

# vers_standard_module=2931 (20080307)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)


Thank you,
Karen

 

[little eagle]

Reboot and rescan with HiJackThis and post a new log here.
Also please describe how your computer behaves at the moment.

 

[ninjakb]

New HJT scan/computer behavior

Hi Little Eagle,
Side note: One thing I wanted to make sure I did correctly --
When i ran ATF cleaner, I did NOT delete Prefetch files or saved Firefox passwords as mentioned on the instructions page.

Here is what I just did:
I rebooted in safe mode w/networking and ran an HJT scan.
I restarted to see if computer would work and if maybe I could get you an HJT scan that way.

Here is how the computer acts when attempting to start in regular mode (I will explain the best I can but sometimes lack the words):
- very SLOW startup
- the desktop, icons and taskbar all show up but the cursor has an hourglass next to it. I can move the cursor over the desktop or taskbar but it still shows the cursor and hourglass icon
- I waited it out. The taskbar ends up disappearing and will not appear even when scrolling over it. The hourglass disappears and just turns to a plain cursor. I still can move it all over the screen.
- Once I attempt to click on any folder or item on my desktop, the cursor turns only to an hourglass and hangs. Nothing happens. I can still move the hourglass around.
- i waited for over 5 minutes before restarting. But I have to restart by pulling the battery and plug. Control, Alt, Delete doesn't work and the power button doesn't work.
- I restarted in safe mode w/networking and sent you the new HJT log.

Here it is:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:50:34 PM, on 3/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Dell PC Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [dlcxmon.exe] "C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 926\memcard.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe" -s
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB8968] command /c del "C:\WINDOWS\wt\WDInUsePlugin.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1769] cmd /c del "C:\WINDOWS\wt\WDInUsePlugin.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2048] command /c del "C:\WINDOWS\wt\webdriver.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2969] cmd /c del "C:\WINDOWS\wt\webdriver.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1842] command /c del "C:\WINDOWS\wt\info.txt"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6318] cmd /c del "C:\WINDOWS\wt\info.txt"
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Shortcut to systray.lnk = C:\WINDOWS\system32\systray.exe
O4 - Global Startup: WD Backup Monitor.lnk = C:\Program Files\My Book\WD Backup\uBBMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.5.1.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase370.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1154751377421
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_activex/en-US/TSEasyInstallX.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab53083.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlcx_device - - C:\WINDOWS\system32\dlcxcoms.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sony SCSI Helper Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Venturi2 Client (Venturi2) - Fourelle Systems, Inc - C:\Program Files\Venturi2\Client\ventc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 11646 bytes

Thank you,
Karen

 

[little eagle]

I'd like to see an Uninstall List.
Please open up HijackThis.
Click on Open the Misc Tools section button
Click on Open Uninstall Manager
Click on Save
A notepad document will open with a list of your installed programs.
Please copy that into your reply.

For now lets remove spybot and delete the folder.

 

[ninjakb]

Uninstall list. Spybot removal

HI!

Here is the uninstall list. (if I can remove some things, esp. on the antivirus/antispyware end, please let me know).
I am going to remove Spybot right now.

7-Zip 4.44 beta
ABBYY FineReader 6.0 Sprint
ABC Amber LIT Converter
Ad-Aware SE Personal
Adobe Photoshop 6.0
Adobe Reader 7.0.9
Adobe Shockwave Player
Adobe SVG Viewer
Ahead Nero Burning ROM
AIM 6
ALPS Touch Pad Driver
AOL Coach Version 1.0(Build:20040229.1 en)
AOL Connectivity Services
AOL Instant Messenger
AOL Uninstaller (Choose which Products to Remove)
AOLIcon
Apple Mobile Device Support
Apple Software Update
Audacity 1.2.6
AutoUnpack 4.4.4
Avanquest update
avast! Antivirus
AVG Anti-Spyware 7.5
AvPropPlugin 1.0.0.1
BitPim 1.0.4
Bonjour
Bounce Symphony from Dell Media Experience (remove only)
Briscola 5.1
Broadcom Management Programs 2
Brother HL-2070N
CatchPhrase (TM)
CDMaster32
Collab
Conexant D110 MDC V.9x Modem
Corel Paint Shop Pro X
Corel Photo Album 6
Crystal Maze (For Remote Control) from Dell Media Experience (remove only)
Crystal Maze from Dell Media Experience (remove only)
dBpoweramp Music Converter
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Media Experience
Dell PC Fax
Dell Photo AIO Printer 926
Dell Support 3.1
Digital Content Portal
Digital Line Detect
DING!
DVD Decrypter (Remove Only)
DVD Shrink 3.2
DVDFab Decrypter 3.0.8.0
e+ 48U
EarthLink setup files
eBook Library by Sony
EducateU
ELIcon
Envisioneer Express 3.0
ESET Online Scanner
Exerlence Advisor
FL Studio 6
Flash Builder
Fourelle Venturi Personal Client 2.1.1
Free and Easy Biorhythm Calculator version 3.00
FreeFTP
Get High Speed Internet!
Google
Google Desktop
Google Toolbar for Internet Explorer
Health Assessment
Health Assessment (C:\Program Files\Health\)
HijackThis 2.0.2
Intel(R) Graphics Media Accelerator Driver for Mobile
Intel(R) PROSet/Wireless Software
Internal Network Card Power Management
IrfanView (remove only)
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) SE Runtime Environment 6 Update 1
Kaspersky Online Scanner
Learn2 Player (Uninstall Only)
LimeWire 4.12.6
Logitech Desktop Messenger
Logitech Print Service
Logitech QuickCam
Logitech® Camera Driver
Macromedia Dreamweaver Attain
Magic DVD Ripper V3.5
MagicDisc 2.5.79
mCore
mDrWiFi
mHlpDell
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Access 2000 Runtime
Microsoft Calculator Plus
Microsoft Office XP Professional
Microsoft Publisher 2002
Microsoft Reader
Microsoft Streets and Trips 2005
Microsoft Visual C++ 2005 Redistributable
mIWA
mIWCA
mLogView
mMHouse
Modem Helper
Motorola Driver Installation 3.4.0
Motorola Phone Tools
Motorola Software Update
Mozilla Firefox (2.0.0.12)
MP3 Recorder XP 1.90
mPfMgr
mPfWiz
mProSafe
MSN Music Assistant
mSSO
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
mToolkit
Musicmatch® Jukebox
mWlsSafe
mXML
MyEMR for Windows
Myst III: Exile
mZConfig
NetWaiting
NetZeroInstallers
NoteBurner 1.36
Nucleus Kernel Undelete Demo ver 4.02
Orbital from Dell Media Experience (remove only)
Overball from Dell Media Experience (remove only)
Palm
PixiePack Codec Pack
Polar Bowler from Dell Media Experience (remove only)
Power MP3 WMA Converter 2006, (ver 3.51)
Power MP3 WMA Recorder 1.01
Powerbullet Presenter 1.43
PowerDVD 5.5
Presilo 0.4.3.0
QuickSet
QuickTime
RealPlayer
Remove Labyrinth Society Screensaver
Riven
Rocket Piano Bonus Software
Rocket Piano eBooks
Rocket Piano MP3 Audio Files
RunAlyzer
Scopa d'Assi
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Skype™ 3.2
Slyder (For Remote Control) from Dell Media Experience (remove only)
Slyder from Dell Media Experience (remove only)
SmartFTP Client 2.0
SmartFTP Client 2.0 Setup Files (remove only)
Sonic Audio module
Sonic DLA
Sonic MyDVD LE
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
SoundTaxi 1.2.5
Spybot - Search & Destroy
TextBridge Pro 8.0
The Crystal Key v11
TomTom HOME
Tradewinds from Dell Media Experience (remove only)
Trend Micro PC-cillin Internet Security 12
Tunebite
URGE
URL Assistant
VideoLAN VLC media player 0.8.6b
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Viewpoint Toolbar
WD Backup
WD Firewire HID Driver
WebCyberCoach 3.2 Dell
Windows Driver Package - Sony Corporation (PRSUSB) USB (08/08/2006 1.0.03.08080)
Windows Genuine Advantage v1.3.0254.0
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 11
WinRAR archiver
WordPerfect Office 12
Yahoo! Install Manager
Yahoo! Messenger
Yahoo! Music Jukebox
Yahoo! Toolbar for Internet Explorer
YAMAHA Digital Music Notebook
YAMAHA Launcher V1.0
ZoneAlarm
ZoneAlarm Spy Blocker

Thank you,
Karen

 

[little eagle]

You have avast! Antivirus you can remove Trend Micro PC-cillin Internet Security 12

You should remove DING! and EarthLink setup files

Be sure to keep SunJava, updated it is important to remove older versions as these are the ones with the holes in them.
Download Newest >>>> http://www.java.com/en/download/index.jsp
Once installed you can test to see that it is in fact installed >>>>
Sun Java Test

Remove these also
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) SE Runtime Environment 6 Update 1

These are junkware :lip:
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Viewpoint Toolbar

 

[ninjakb]

Unable to remove

Hi Little Eagle,
Thank you for the info. I attempted to uninstall all of the programs you listed. I also attempted to download the new version of Java.
Unfortunately, since I am in safe mode, I kept getting the message that 'Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode... etc.'
I can't get the computer running in regular mode so didn't know how to accomplish this.

Help!

On a side note, I was wondering if 'Ding!' was that important to remove. I could always reinstall it. But I travel quite a bit and it is for Southwest airlines cheap fares alerts. Can I keep it?

Also - the Java update - do I remove all existing versions from the machine BEFORE downloading the new version or is it ok to download the newest version and THEN remove the old versions?

Lastly, other than AOL IM, I don't use any other AOL service. Can I remove everything else AOL without removing AIMs functionality?

Sorry to bombard you with questions. Just want to make sure i do this right. Thank you once again.
Karen

 

[little eagle]

Also - the Java update - do I remove all existing versions from the machine BEFORE downloading the new version or is it ok to download the newest version and THEN remove the old versions?

I do not think it matters we just have them remove all of the older versions so they don't forget.

On a side note, I was wondering if 'Ding!' was that important to remove. I could always reinstall it. But I travel quite a bit and it is for Southwest airlines cheap fares alerts. Can I keep it?

It's not a trojan or virus so if you think you need it it's your choice.

Lastly, other than AOL IM, I don't use any other AOL service. Can I remove everything else AOL without removing AIMs functionality?

Yes I think you can the AIM is separate program.

 

[ninjakb]

very good

HI Little Eagle,

Ok I will follow those instructions.

But back to the original problem - I don't know how to do any of the installs or de-installs in safe mode. I can't get the darn computer running in regular mode to make the changes either.

Can you suggest a way around that? ;-)

Karen

 

[little eagle]

Close all programs leaving only HijackThis running. Place a check against each of the following,

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Dell PC Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 926\memcard.exe"
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe" -s
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB8968] command /c del "C:\WINDOWS\wt\WDInUsePlugin.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1769] cmd /c del "C:\WINDOWS\wt\WDInUsePlugin.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2048] command /c del "C:\WINDOWS\wt\webdriver.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2969] cmd /c del "C:\WINDOWS\wt\webdriver.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1842] command /c del "C:\WINDOWS\wt\info.txt"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6318] cmd /c del "C:\WINDOWS\wt\info.txt"
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: WD Backup Monitor.lnk = C:\Program Files\My Book\WD Backup\uBBMonitor.exe

Click on Fix Checked when finished and exit HijackThis.

Then try to reboot with out going in to safe mode.
We can restore some of these later.

 

[ninjakb]

No luck

Hi Little Eagle,
I 'fixed' those files as requested. The only one that was not present was:
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

-- but you had me remove spybot before, so I wasn't concerned. I 'fixed' all others.

I am using my other OLD laptop so I could leave the one we are working on running.

Here is what happened:
- I restarted in regular mode. Again, SLOW startup. The desktop and the taskbar loaded. The cursor and hourglass next to it showed on the desktop for a bit, then changed to a regular cursor. But when i moved it over the taskbar, it turned to an hourglass.
- I waited it out and ended up with just a cursor over the desktop and taskbar. The taskbar is showing now but no system tray icons.
- I cannot click on any folder or icon on the desktop though. Nothing happens. The cursor still moves though.
- Also, I 'usually' have the taskbar set to autohide when I use the computer in general. It is not doing that.

Anyway, just trying to be thorough give you all the small details and subtleties. I did NOT restart it yet and have the computer running if there is anything I can do in this mode and you happen to get to this message this evening.

Thank you!

Karen

 

[ninjakb]

Weird things

Hi Little Eagle,

OK, had to tell you this one.
I walked away to go take care of some other tasks and left the computer sitting. (again, it is in regular mode). I have been gone 15 minutes or so?

When i got back, all these windows are up on the desktop and in the taskbar it says '10 Windows Explorer' (like I have 10 Windows Explorer windows open). BUT - the windows that ARE open are just folders from my desktop and if I recall correctly, they are the last folders I tried to click on every time I tried to access them in the past in regular startup mode. So there is the folder to 'My Computer' and a folder I created on the desktop to keep all of the logfiles titled 'TO FIX COMPUTER' - there are 5 of each of these folders. Right now, the 'my computer' folder is open and the flashlight is going back and forth trying to access the folder.
- Also, the taskbar is loaded with a few system tray icons loaded as well.

I tried to click on the windows to close them but nothing is happening. I am waiting to see if anything will happen. If I see that it is locked up, I am going to just shut it down and await further instructions.

Just weird. Thoughts?

Karen