Hi,
Avast has picked up Win32:BHO-KD but could not delete / move to chest. Have disabled Windows Restore and am running a Boot Time Scan. It has picked up one file and moved it to the chest. Is there anything else I should do?
Thanks,
Phil B
Welcome to the forum.
Please download Deckard’s System Scanner (DSS) and save it to your Desktop.
[*]Close all other windows before proceeding.
[*]Double-click on dss.exe and follow the prompts.
[*]When it has finished, dss will open two Notepads main.txt and extra.txt – please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
Thanks for your help - scan details below it will need to be split into several posts as it exceeds the maximum length:-
Main.txt
Deckard’s System Scanner v20071014.68
Run by Dave Witcher on 2008-01-03 13:48:57
Computer is in Normal Mode.
– System Restore --------------------------------------------------------------
System Restore is disabled; attempting to re-enable…success.
– Last 1 Restore Point(s) –
1: 2008-01-03 13:48:58 UTC - RP1 - System Checkpoint
Backed up registry hives.
Performed disk cleanup.
– HijackThis Clone ------------------------------------------------------------
Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-01-03 13:50:39
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\WLTRAY.EXE
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\SystemErrorFixer\strpmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Dell\Bluetooth Software\BTTray.exe
C:\Program Files\Microsoft ActiveSync\rapimgr.exe
C:\Program Files\Dell\Bluetooth Software\BTStackServer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Dave Witcher\Desktop\dss.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {01F9FE1A-FDF9-48C6-AC08-E5AFC4CCD457} - c:\windows\system32\nnmannm.dll (file missing)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {64DA1515-8B69-4244-BEC6-79F9BE957CAB} - C:\WINDOWS\system32\hcgujwcw.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [Windows Defender] “C:\Program Files\Windows Defender\MSASCui.exe” -hide
O4 - HKLM..\Run: [Salestart] “C:\Program Files\Common Files\SystemErrorFixer\strpmon.exe” dm=http://systemerrorfixer.com; ad=http://systemerrorfixer.com
O4 - HKCU..\Run: [H/PC Connection Agent] “C:\PROGRA~1\MICROS~3\wcescomm.exe”
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18..\Run: [DWQueuedReporting] “C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe” -t (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [DWQueuedReporting] “C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe” -t (User ‘Default user’)
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: BTTray.lnk = C:\Program Files\Dell\Bluetooth Software\BTTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Dell\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra ‘Tools’ menuitem: Create Mobile Favorite… - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra ‘Tools’ menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Dell\Bluetooth Software\btsendto_ie.htm
O9 - Extra ‘Tools’ menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Dell\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.microsoft.com/download/5/B/E/5BE645ED-2F2D-4E4D-9C54-AFB56EFCB312/LegitCheckControl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.co.uk/scan_uk/scan8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\BTXPPanel.dll
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: mtggdcxg - C:\WINDOWS\system32\nnmannm.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\system32\WLTRYSVC.EXE
–
End of file - 8650 bytes
Main.txt - page 2
– File Associations -----------------------------------------------------------
All associations okay.
– Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
R0 mljxpzmw (Microsoft RPC API Helper) - c:\windows\system32\drivers\jdmaqxoi.dat
S3 Ad-Watch Connect Filter (Ad-Watch Connect Kernel Filter) - c:\windows\system32\drivers\nsdriver.sys <Not Verified; Lavasoft AB; Ad-Watch Connections>
S3 se59bus (Sony Ericsson Device 089 driver (WDM)) - c:\windows\system32\drivers\se59bus.sys <Not Verified; MCCI; Sony Ericsson Device 089>
S3 se59mdfl (Sony Ericsson Device 089 USB WMC Modem Filter) - c:\windows\system32\drivers\se59mdfl.sys <Not Verified; MCCI; Sony Ericsson Device 089 USB WMC Modem Filter Driver>
S3 se59mdm (Sony Ericsson Device 089 USB WMC Modem Driver) - c:\windows\system32\drivers\se59mdm.sys <Not Verified; MCCI; Sony Ericsson Device 089 USB WMC Data Modem>
S3 se59obex (Sony Ericsson Device 089 USB WMC OBEX Interface) - c:\windows\system32\drivers\se59obex.sys <Not Verified; MCCI; Sony Ericsson Device 089 USB WMC OBEX Interface>
S3 UIUSys (Conexant Setup API) - c:\windows\system32\drivers\uiusys.sys (file missing)
S4 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys (file missing)
– Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
All services whitelisted.
– Device Manager: Disabled ----------------------------------------------------
No disabled devices found.
– Scheduled Tasks -------------------------------------------------------------
2008-01-03 13:50:43 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
– Files created between 2007-12-03 and 2008-01-03 -----------------------------
Nothing created in this timespan.
– Find3M Report ---------------------------------------------------------------
2007-11-09 16:26:44 0 d-------- C:\Program Files\SystemErrorFixer
2007-11-07 20:42:47 0 d-------- C:\Documents and Settings\Dave Witcher\Application Data\Teleca
2007-11-07 20:41:25 0 d-------- C:\Program Files\Common Files\Teleca Shared
2007-11-07 20:40:45 0 d-------- C:\Program Files\Common Files
2007-11-07 20:24:41 0 d-------- C:\Documents and Settings\Dave Witcher\Application Data\systemerrorfixer
2007-11-07 20:19:21 0 d-------- C:\Program Files\Common Files\SystemErrorFixer
2007-10-14 09:54:31 35584 --a------ C:\WINDOWS\system32\pvxnshwf.dat
2007-10-14 09:54:31 741632 --a------ C:\WINDOWS\system32\huslroeo.dat
2007-10-14 09:54:27 41728 --a------ C:\WINDOWS\system32\sajnihsj.dat
2007-10-13 09:17:32 119040 --a------ C:\WINDOWS\system32\tphmlmoq.dat
2007-10-08 15:17:15 34560 --a------ C:\WINDOWS\system32\oigkpjhj.dat
– Registry Dump ---------------------------------------------------------------
Note empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE~\Browser Helper Objects{01F9FE1A-FDF9-48C6-AC08-E5AFC4CCD457}]
[HKEY_LOCAL_MACHINE~\Browser Helper Objects{64DA1515-8B69-4244-BEC6-79F9BE957CAB}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“SynTPLpr”=“C:\Program Files\Synaptics\SynTP\SynTPLpr.exe” [13/05/2004 19:23]
“SynTPEnh”=“C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [14/05/2004 09:35]
“IgfxTray”=“C:\WINDOWS\System32\igfxtray.exe” [25/02/2004 16:42]
“HotKeysCmds”=“C:\WINDOWS\System32\hkcmd.exe” [25/02/2004 16:38]
“Broadcom Wireless Manager UI”=“C:\WINDOWS\system32\WLTRAY.exe” [01/11/2006 12:48]
“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [09/07/2001 11:50]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [04/12/2007 13:00]
“Windows Defender”=“C:\Program Files\Windows Defender\MSASCui.exe” [03/11/2006 18:20]
“Salestart”=“C:\Program Files\Common Files\SystemErrorFixer\strpmon.exe” [09/10/2007 14:14]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“H/PC Connection Agent”=“C:\PROGRA~1\MICROS~3\wcescomm.exe” [26/06/2006 16:13]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [04/08/2004 00:56]
[HKEY_USERS.default\software\microsoft\windows\currentversion\run]
“DWQueuedReporting”=“C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe” -t
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [22/01/2007 14:10:36]
BTTray.lnk - C:\Program Files\Dell\Bluetooth Software\BTTray.exe [26/04/2004 17:13:54]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [13/02/2001 01:01:04]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mtggdcxg]
nnmannm.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=“Service”
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@=“Service”
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@=“Volume shadow copy”
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
khmdbjxm
– End of Deckard’s System Scanner: finished at 2008-01-03 13:51:23 ------------
Extra.txt
Deckard’s System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
– System Information ----------------------------------------------------------
Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English
CPU 0: Intel(R) Pentium(R) M processor 1.40GHz
Percentage of Memory in Use: 51%
Physical Memory (total/avail): 630.04 MiB / 306.91 MiB
Pagefile Memory (total/avail): 1540.82 MiB / 1247.03 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1933.55 MiB
C: is Fixed (NTFS) - 37.26 GiB total, 21.23 GiB free.
\.\PHYSICALDRIVE0 - FUJITSU MHT2040AH - 37.26 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 37.26 GiB - C:
– Security Center -------------------------------------------------------------
AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.
AV: avast! antivirus 4.7.1098 [VPS 071231-0] v4.7.1098 (ALWIL Software)
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=“%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019”
“C:\Program Files\Microsoft ActiveSync\rapimgr.exe”=“C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager”
“C:\Program Files\Microsoft ActiveSync\wcescomm.exe”=“C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager”
“C:\Program Files\Microsoft ActiveSync\WCESMgr.exe”=“C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application”
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=“%windir%\system32\sessmgr.exe::enabled:@xpsp2res.dll,-22019"
“C:\Program Files\Microsoft ActiveSync\rapimgr.exe”=“C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager”
“C:\Program Files\Microsoft ActiveSync\wcescomm.exe”=“C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager”
“C:\Program Files\Microsoft ActiveSync\WCESMgr.exe”=“C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application”
“C:\Program Files\Messenger\msmsgs.exe”="C:\Program Files\Messenger\msmsgs.exe::Enabled:Windows Messenger”
“C:\WINDOWS\system32\obrxvvgh.exe”=“C:\WINDOWS\system32\obrxvvgh.exe:*:Disabled:obrxvvgh”
– Environment Variables -------------------------------------------------------
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Dave Witcher\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=APECLAPTOP
ComSpec=C:\WINDOWS\system32\cmd.exe
DEFAULT_CA_NR=CA8
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Dave Witcher
LOGONSERVER=\APECLAPTOP
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Teleca Shared
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 6, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d06
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\DAVEWI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\DAVEWI~1\LOCALS~1\Temp
USERDOMAIN=APECLAPTOP
USERNAME=Dave Witcher
USERPROFILE=C:\Documents and Settings\Dave Witcher
windir=C:\WINDOWS
– User Profiles ---------------------------------------------------------------
Dave Witcher I[/I]
– Add/Remove Programs ---------------------------------------------------------
→ C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
→ rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 → MsiExec.exe /X{E31C348B-63A9-4CBF-8D7F-D932ABB63244}
Adobe Acrobat 5.0 → C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player 9 ActiveX → C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Shockwave Player → C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
avast! Antivirus → rundll32 C:\PROGRA~1\ALWILS~1\Avast4\Setup\setiface.dll,RunSetup
Broadcom Gigabit Integrated Controller → MsiExec.exe /X{7E369B27-13E2-41A5-9879-358EE1C8B5AD}
C-Major Audio → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe” -l0x9 -remove -removeonly
CCleaner (remove only) → “C:\Program Files\CCleaner\uninst.exe”
Conexant D480 MDC V.92 Modem → C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_8086&DEV_24x6&SUBSYS_542214F1\HXFSETUP.EXE -U -Idel5422k.inf
Dell Bluetooth Software → MsiExec.exe /X{90535871-81B9-4D99-8A13-A7EE97F2D7FE}
Dell Wireless WLAN Card → “C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwlu00.exe” verbose /rootkey=“Software\Broadcom\802.11\UninstallInfo” /rootdir=“C:\Program Files\Dell\Dell Wireless WLAN Card”
DesignBuilder → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{9C306D70-8A6C-11D5-8CDF-00D0B78FC575}\Setup.exe” -l0x9
Digimax Master → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{AEC0CEBC-0FC7-4716-8222-1C4A742719B1}\Setup.exe” -l0x9 -removeonly
EDS Vis Products 4.1 → C:\WINDOWS\IsUninst.exe -f"C:\Program Files\EDS\Vis Products\4_1\Program\Uninst.isu" -c"C:\Program Files\EDS\Vis Products\4_1\Program\Uninstall.dll"
FieldWorks Species Distribution → MsiExec.exe /X{A91C56E6-E15A-11D4-891D-0050DADD6051}
Hotfix for Windows Media Format 11 SDK (KB929399) → “C:\WINDOWS$NtUninstallKB929399$\spuninst\spuninst.exe”
Intel(R) Extreme Graphics 2 Driver → RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_3582
Jasc Paint Shop Pro 8 → MsiExec.exe /I{81A34902-9D0B-4920-A25C-4CDC5D14B328}
Microsoft ActiveSync 4.0 → MsiExec.exe /I{B208806F-A231-4FA0-AB3F-5C1B8979223E}
Microsoft Compression Client Pack 1.0 for Windows XP → “C:\WINDOWS$NtUninstallMSCompPackV1$\spuninst\spuninst.exe”
Microsoft Office Outlook 2003 → MsiExec.exe /I{90E00409-6000-11D3-8CFE-0150048383C9}
Microsoft Office XP Professional with FrontPage → MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft Project 2000 → MsiExec.exe /I{2DFE1608-BDCA-11D1-B7AE-00C04FB92F3D}
Microsoft User-Mode Driver Framework Feature Pack 1.0 → “C:\WINDOWS$NtUninstallWudf01000$\spuninst\spuninst.exe”
Nero Suite → C:\Program Files\Common Files\Ahead\Uninstall\Setup.exe /uninstall
Samsung USB Driver → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{7ABE1621-5354-4136-A0EA-0BD9CD900B6B}\Setup.exe”
Spybot - Search & Destroy 1.4 → “C:\Program Files\Spybot - Search & Destroy\unins000.exe”
Synaptics Pointing Device Driver → rundll32.exe “C:\Program Files\Synaptics\SynTP\SynISDLL.dll”,standAloneUninstall
Windows Defender → MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Media Format 11 runtime → “C:\WINDOWS$NtUninstallWMFDist11$\spuninst\spuninst.exe”
Yahoo! Install Manager → C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Toolbar → C:\PROGRA~1\Yahoo!\Common\unyt.exe
Extra.txt page 2
– Application Event Log -------------------------------------------------------
Event Record #/Type3236 / Warning
Event Submitted/Written: 01/02/2008 10:40:56 AM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.
Event Record #/Type3235 / Error
Event Submitted/Written: 01/02/2008 10:40:51 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16574, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
Event Record #/Type3234 / Error
Event Submitted/Written: 01/02/2008 10:40:27 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application ashDisp.exe, version 4.7.1098.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
Event Record #/Type3230 / Warning
Event Submitted/Written: 12/31/2007 07:45:35 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.
Event Record #/Type3229 / Error
Event Submitted/Written: 12/31/2007 07:45:29 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16574, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
– Security Event Log ----------------------------------------------------------
No Errors/Warnings found.
– System Event Log ------------------------------------------------------------
Event Record #/Type18807 / Warning
Event Submitted/Written: 01/03/2008 01:51:04 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%APECLAPTOP27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %APECLAPTOP27 can’t undo changes that you allow.
For more information please see the following:
%APECLAPTOP275
Scan ID: {F602F118-D268-465E-8647-D1997F58702E}
User: APECLAPTOP\Dave Witcher
Name: %APECLAPTOP271
ID: %APECLAPTOP272
Severity: 1.1.1593.05
Category: 1.1.1593.06
Path Found: %APECLAPTOP276
Alert Type: %APECLAPTOP278
Detection Type: 1.1.1593.02
Event Record #/Type18806 / Warning
Event Submitted/Written: 01/03/2008 01:51:04 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%APECLAPTOP27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %APECLAPTOP27 can’t undo changes that you allow.
For more information please see the following:
%APECLAPTOP275
Scan ID: {154BE61D-E39B-4F18-A8B2-53FDEF4B057B}
User: APECLAPTOP\Dave Witcher
Name: %APECLAPTOP271
ID: %APECLAPTOP272
Severity: 1.1.1593.05
Category: 1.1.1593.06
Path Found: %APECLAPTOP276
Alert Type: %APECLAPTOP278
Detection Type: 1.1.1593.02
Event Record #/Type18805 / Warning
Event Submitted/Written: 01/03/2008 01:51:04 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%APECLAPTOP27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %APECLAPTOP27 can’t undo changes that you allow.
For more information please see the following:
%APECLAPTOP275
Scan ID: {FA7510C7-F371-4D59-A5B9-284F23717385}
User: APECLAPTOP\Dave Witcher
Name: %APECLAPTOP271
ID: %APECLAPTOP272
Severity: 1.1.1593.05
Category: 1.1.1593.06
Path Found: %APECLAPTOP276
Alert Type: %APECLAPTOP278
Detection Type: 1.1.1593.02
Event Record #/Type18804 / Warning
Event Submitted/Written: 01/03/2008 01:51:01 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%APECLAPTOP27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %APECLAPTOP27 can’t undo changes that you allow.
For more information please see the following:
%APECLAPTOP275
Scan ID: {A0912B6A-A5D8-42E3-B7F3-3D009B724A10}
User: APECLAPTOP\Dave Witcher
Name: %APECLAPTOP271
ID: %APECLAPTOP272
Severity: 1.1.1593.05
Category: 1.1.1593.06
Path Found: %APECLAPTOP276
Alert Type: %APECLAPTOP278
Detection Type: 1.1.1593.02
Event Record #/Type18803 / Warning
Event Submitted/Written: 01/03/2008 01:51:01 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%APECLAPTOP27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %APECLAPTOP27 can’t undo changes that you allow.
For more information please see the following:
%APECLAPTOP275
Scan ID: {9BA98E96-C625-4ED4-A9C9-BFC84DF0EB84}
User: APECLAPTOP\Dave Witcher
Name: %APECLAPTOP271
ID: %APECLAPTOP272
Severity: 1.1.1593.05
Category: 1.1.1593.06
Path Found: %APECLAPTOP276
Alert Type: %APECLAPTOP278
Detection Type: 1.1.1593.02
– End of Deckard’s System Scanner: finished at 2008-01-03 13:51:23 ------------
Download ComboFix from Here or Here to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix’s window while its running. That may cause it to stall.
Combofix Log:-
ComboFix 08-01-03.3 - Dave Witcher 2008-01-03 14:22:58.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.314 [GMT 0:00]
Running from: C:\Documents and Settings\Dave Witcher\Desktop\ComboFix.exe
- Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data.\salesmonitor
C:\Documents and Settings\Dave Witcher\Application Data\setup_en[1].exe
C:\WINDOWS\system32\drivers\jdmaqxoi.dat
C:\WINDOWS\system32\hcgujwcw.dll
C:\WINDOWS\system32\nnmannm.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_KHMDBJXM
-------\LEGACY_MLJXPZMW
-------\khmdbjxm
-------\mljxpzmw
((((((((((((((((((((((((( Files Created from 2007-12-03 to 2008-01-03 )))))))))))))))))))))))))))))))
.
2008-01-03 14:22 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-09 16:26 --------- d-----w C:\Program Files\SystemErrorFixer
2007-11-07 20:42 --------- d-----w C:\Documents and Settings\Dave Witcher\Application Data\Teleca
2007-11-07 20:41 --------- d-----w C:\Program Files\Common Files\Teleca Shared
2007-11-07 20:24 --------- d-----w C:\Documents and Settings\Dave Witcher\Application Data\systemerrorfixer
2007-11-07 20:19 --------- d-----w C:\Program Files\Common Files\SystemErrorFixer
2007-11-07 20:19 --------- d-----r C:\Documents and Settings\All Users\Application Data\systemerrorfixer
2007-03-04 17:43 18,696 ----a-w C:\Documents and Settings\Dave Witcher\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“H/PC Connection Agent”=“C:\PROGRA~1\MICROS~3\wcescomm.exe” [2006-06-26 16:13 1207080]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 00:56 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“SynTPLpr”=“C:\Program Files\Synaptics\SynTP\SynTPLpr.exe” [2004-05-13 19:23 98304]
“SynTPEnh”=“C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [2004-05-14 09:35 536576]
“IgfxTray”=“C:\WINDOWS\System32\igfxtray.exe” [2004-02-25 16:42 155648]
“HotKeysCmds”=“C:\WINDOWS\System32\hkcmd.exe” [2004-02-25 16:38 118784]
“Broadcom Wireless Manager UI”=“C:\WINDOWS\system32\WLTRAY.exe” [2006-11-01 12:48 1392640]
“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 11:50 155648]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 13:00 79224]
“Windows Defender”=“C:\Program Files\Windows Defender\MSASCui.exe” [2006-11-03 18:20 866584]
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“DWQueuedReporting”=“C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe” [2007-03-13 15:38 39264]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2007-01-22 14:10:36]
BTTray.lnk - C:\Program Files\Dell\Bluetooth Software\BTTray.exe [2004-04-26 17:13:54]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
S3 se59bus;Sony Ericsson Device 089 driver (WDM);C:\WINDOWS\system32\DRIVERS\se59bus.sys [2006-09-05 19:07]
S3 se59mdfl;Sony Ericsson Device 089 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\se59mdfl.sys [2006-09-05 19:07]
S3 se59mdm;Sony Ericsson Device 089 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\se59mdm.sys [2006-09-05 19:07]
S3 se59obex;Sony Ericsson Device 089 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\se59obex.sys [2006-09-05 19:09]
.
Contents of the ‘Scheduled Tasks’ folder
“2008-01-03 14:07:54 C:\WINDOWS\Tasks\MP Scheduled Scan.job”
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-03 14:28:28
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0
.
Completion time: 2008-01-03 14:30:14 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-03 14:30:04
.
2007-12-29 09:36:35 — E O F —
HijackThis Log:-
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:33:10, on 03/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\MICROS~3\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Dell\Bluetooth Software\BTTray.exe
C:\PROGRA~1\Dell\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [Windows Defender] “C:\Program Files\Windows Defender\MSASCui.exe” -hide
O4 - HKCU..\Run: [H/PC Connection Agent] “C:\PROGRA~1\MICROS~3\wcescomm.exe”
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18..\Run: [DWQueuedReporting] “C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe” -t (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [DWQueuedReporting] “C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe” -t (User ‘Default user’)
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Dell\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra ‘Tools’ menuitem: Create Mobile Favorite… - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra ‘Tools’ menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Dell\Bluetooth Software\btsendto_ie.htm
O9 - Extra ‘Tools’ menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Dell\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.co.uk/scan_uk/scan8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
–
End of file - 6823 bytes
Sorry about the delay, I’m at work, so it’s rather hit and miss.
I just want to make sure these guys are gone.
Open a new Notepad session (Do not use a Word Processor or WordPad). Click “Format” and be certain that Word Wrap is not enabled.
Copy and paste all the text in the quote box below into Notepad.
Click File, Save as…, and set the location to your Desktop, and enter (including quotation marks) as the filename: “CFscript.txt” . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.
File:: C:\WINDOWS\system32\pvxnshwf.dat C:\WINDOWS\system32\huslroeo.dat C:\WINDOWS\system32\sajnihsj.dat C:\WINDOWS\system32\tphmlmoq.dat C:\WINDOWS\system32\oigkpjhj.dat
This will start ComboFix again.Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply .
ComboFix Log:-
ComboFix 08-01-03.3 - Dave Witcher 2008-01-04 7:46:23.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.342 [GMT 0:00]
Running from: C:\Documents and Settings\Dave Witcher\Desktop\ComboFix.exe
Command switches used :: D:\CFscript.txt
- Created a new restore point
FILE
C:\WINDOWS\system32\huslroeo.dat
C:\WINDOWS\system32\oigkpjhj.dat
C:\WINDOWS\system32\pvxnshwf.dat
C:\WINDOWS\system32\sajnihsj.dat
C:\WINDOWS\system32\tphmlmoq.dat
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\huslroeo.dat
C:\WINDOWS\system32\oigkpjhj.dat
C:\WINDOWS\system32\pvxnshwf.dat
C:\WINDOWS\system32\sajnihsj.dat
C:\WINDOWS\system32\tphmlmoq.dat
.
((((((((((((((((((((((((( Files Created from 2007-12-04 to 2008-01-04 )))))))))))))))))))))))))))))))
.
2008-01-03 14:32 . 2008-01-03 14:32 d-------- C:\Program Files\Trend Micro
2008-01-03 14:22 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-09 16:26 --------- d-----w C:\Program Files\SystemErrorFixer
2007-11-07 20:42 --------- d-----w C:\Documents and Settings\Dave Witcher\Application Data\Teleca
2007-11-07 20:41 --------- d-----w C:\Program Files\Common Files\Teleca Shared
2007-11-07 20:24 --------- d-----w C:\Documents and Settings\Dave Witcher\Application Data\systemerrorfixer
2007-11-07 20:19 --------- d-----w C:\Program Files\Common Files\SystemErrorFixer
2007-11-07 20:19 --------- d-----r C:\Documents and Settings\All Users\Application Data\systemerrorfixer
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 17:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-03-04 17:43 18,696 ----a-w C:\Documents and Settings\Dave Witcher\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“H/PC Connection Agent”=“C:\PROGRA~1\MICROS~3\wcescomm.exe” [2006-06-26 16:13 1207080]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 00:56 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“SynTPLpr”=“C:\Program Files\Synaptics\SynTP\SynTPLpr.exe” [2004-05-13 19:23 98304]
“SynTPEnh”=“C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [2004-05-14 09:35 536576]
“IgfxTray”=“C:\WINDOWS\System32\igfxtray.exe” [2004-02-25 16:42 155648]
“HotKeysCmds”=“C:\WINDOWS\System32\hkcmd.exe” [2004-02-25 16:38 118784]
“Broadcom Wireless Manager UI”=“C:\WINDOWS\system32\WLTRAY.exe” [2006-11-01 12:48 1392640]
“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 11:50 155648]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 13:00 79224]
“Windows Defender”=“C:\Program Files\Windows Defender\MSASCui.exe” [2006-11-03 18:20 866584]
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“DWQueuedReporting”=“C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe” [2007-03-13 15:38 39264]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2007-01-22 14:10:36]
BTTray.lnk - C:\Program Files\Dell\Bluetooth Software\BTTray.exe [2004-04-26 17:13:54]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
S3 se59bus;Sony Ericsson Device 089 driver (WDM);C:\WINDOWS\system32\DRIVERS\se59bus.sys [2006-09-05 19:07]
S3 se59mdfl;Sony Ericsson Device 089 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\se59mdfl.sys [2006-09-05 19:07]
S3 se59mdm;Sony Ericsson Device 089 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\se59mdm.sys [2006-09-05 19:07]
S3 se59obex;Sony Ericsson Device 089 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\se59obex.sys [2006-09-05 19:09]
.
Contents of the ‘Scheduled Tasks’ folder
“2008-01-03 14:30:53 C:\WINDOWS\Tasks\MP Scheduled Scan.job”
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-04 07:47:28
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0
.
Completion time: 2008-01-04 7:48:04
ComboFix-quarantined-files.txt 2008-01-04 07:47:48
ComboFix2.txt 2008-01-03 14:30:14
.
2007-12-29 09:36:35 — E O F —
That looks good. Is everything ok now?
Oldman,
Look great thanks! I ran another Boot Time Scan and it found a few issues wich were moved to the chest. Should I delete these now?
I’m running XP with Avast 4.7 and the Windows firewall. Should i use anything else for the future?
Thanks,
Phil B
What did the boot time scan find?
I’ve have something for you in the clean up session. An antispyware program is good to have.
It found
Win32:delf-FNP
Win32:delf-GFV
Win32:BHO-KD
and moved them to the chest.
Is the free AVG Anti-spyware any good?
Avg is ok, I like SAS my self.
Can you navigate to this folder, in windows explorer
C:\program files\Alwil Software\avast4\data\logs
click on the logs folder, then in the right hand panel, double click on the warning log. It will open with notepad. Please copy and paste the last 10-15 lines and post them here. I just want to see the files detected.
thanks
There you go…
20/10/2007 16:57:00 1192895820 SYSTEM 120 Sign of “Win32:Renos-AF [trj]” has been found in “http://scanner.malware-scan.com/aswp/Install-YmV0dGVybXk-a2V5aW5fYW9fNDI1MV8xOTIyXzIzNTlfYW9fX2FvXzM5NThfMF8zNTY4X2FvXw-MQ.cab\unp50272185\setup.exe” file.
26/10/2007 00:53:27 1193356407 SYSTEM 2032 Sign of “Win32:Renos-AF [trj]” has been found in “http://scanner.malware-scan.com/aswp/Install-MnJhcGlkbHk-a2V5aW5fYW9fNDUxNF8yNTA2XzIzNThfYW9fX2FvXzM5NThfMF8zNTY5X2FvXw-MQ.cab\unp40352252\setup.exe” file.
26/10/2007 00:54:11 1193356451 SYSTEM 2032 Sign of “Win32:Renos-AF [trj]” has been found in “http://scanner.malware-scan.com/aswp/Install-MnJhcGlkbHk-a2V5aW5fYW9fNDUxNF8yNTA2XzIzNThfYW9fX2FvXzM5NThfMF8zNTY5X2FvXw-MQ.exe” file.
26/10/2007 00:54:12 1193356452 SYSTEM 2032 Sign of “Win32:Renos-AF [trj]” has been found in “http://scanner.malware-scan.com/aswp/Install-MnJhcGlkbHk-a2V5aW5fYW9fNDUxNF8yNTA2XzIzNThfYW9fX2FvXzM5NThfMF8zNTY5X2FvXw-MQ.exe” file.
26/10/2007 00:54:43 1193356483 SYSTEM 2032 Sign of “Win32:Renos-AF [trj]” has been found in “http://scanner.malware-scan.com/aswp/Install-MnJhcGlkbHk-a2V5aW5fYW9fNDUxNF8yNTA2XzIzNThfYW9fX2FvXzM5NThfMF8zNTY5X2FvXw-MQ.exe” file.
02/11/2007 17:17:11 1194023831 SYSTEM 2028 Sign of “Win32:Adware-gen [Adw]” has been found in “http://files-pl.starware.com/installs/links/recipes.exe\$INSTDIR\bin\$PLUGINSDIR\NSISdl.dll” file.
10/12/2007 10:35:55 1197282955 Dave Witcher 124 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\WINDOWS\system32\Drivers\jdmaqxoi.dat (C:\WINDOWS\system32\Drivers\jdmaqxoi.dat) returning error, 00000005.
10/12/2007 10:35:55 1197282955 Dave Witcher 124 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\DOCUME~1\DAVEWI~1\LOCALS~1\Temp\mlvtgmlv.dat (C:\DOCUME~1\DAVEWI~1\LOCALS~1\Temp\mlvtgmlv.dat) returning error, 00000005.
10/12/2007 10:35:55 1197282955 Dave Witcher 124 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\DOCUME~1\DAVEWI~1\LOCALS~1\Temp\mlvtgmlv.dat (C:\DOCUME~1\DAVEWI~1\LOCALS~1\Temp\mlvtgmlv.dat) returning error, 00000005.
10/12/2007 10:35:55 1197282955 Dave Witcher 124 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\WINDOWS\system32\drivers\jdmaqxoi.dat (C:\WINDOWS\system32\drivers\jdmaqxoi.dat) returning error, 00000005.
31/12/2007 19:43:48 1199130228 SYSTEM 2040 Sign of “Win32:BHO-KD [trj]” has been found in “C:\WINDOWS\SYSTEM32\HCGUJWCW.DLL[UPX]” file.
31/12/2007 19:45:25 1199130325 SYSTEM 2040 Sign of “Win32:BHO-KD [trj]” has been found in “C:\windows\system32\hcgujwcw.dll[UPX]” file.
02/01/2008 10:38:39 1199270319 SYSTEM 2040 Sign of “Win32:BHO-KD [trj]” has been found in “C:\windows\system32\hcgujwcw.dll[UPX]” file.
03/01/2008 12:08:33 1199362113 SYSTEM 168 Sign of “Win32:BHO-KD [trj]” has been found in “C:\WINDOWS\SYSTEM32\HCGUJWCW.DLL[UPX]” file.
03/01/2008 13:04:55 1199365495 Dave Witcher 1456 Sign of “Win32:BHO-KD [trj]” has been found in “c:\windows\system32\hcgujwcw.dll[UPX]” file.
03/01/2008 13:48:00 1199368080 SYSTEM 340 Sign of “Win32:BHO-KD [trj]” has been found in “C:\windows\system32\hcgujwcw.dll[UPX]” file.
03/01/2008 13:50:06 1199368206 SYSTEM 340 Sign of “Win32:Delf-GKK [trj]” has been found in “C:\WINDOWS\temp\nmmdwqvp.dll[Morphine][UPX]” file.
03/01/2008 14:07:07 1199369227 Dave Witcher 3004 Sign of “Win32:BHO-KD [trj]” has been found in “c:\windows\system32\hcgujwcw.dll[UPX]” file.
It looks like the avast detections where before you ran combofix the last time. Combofix removed those files.
I’d like you to do this cleanup list, the go to the link below and do an online scan. You will have to pause the avast standard shield during the scan Right click the “a” icon select pause, then stabdard shield. Remember to resume it after the scan. You can do the firewall after the scan.
Please post the results in your next reply.
http://www.eset.com/onlinescan/
1.Click start button, click run, copy and paste the line below into the box, click ok
combofix /u
2.Please download the OTMoveIt by OldTimer.
[*] Save it to your desktop.
[*] Please double-click OTMoveIt2.exe to run it.
Then click the Clean Up button. You may get prompted by your firewall that OTMoveIt wants to contact the internet - allow this. A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself.
3.Create a new restore point
You must be logged on to an administrator account
Go to Start - All Programs - Accessories - System Tools - System Restore.
Click Create a restore point, and then click Next.
In the text box labeled Restore Point Description, type a name for this restore point , click create
Remove old restore points
4.Disk Cleanup
- Go to Start - All Programs - Accessories - system tools. Launch the Disk Cleanup tool and let it run. When it finishes a box with tabs will appear, select the more options tab. On this tab you will find a section for System Restore. If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one.
5.Download and run this clean up utility. You can use it regularly. When it’s first run, it is in demo mode to show you what it will remove. Review it and then rerun in real mode. It is configurable.
It looks like you are using windows firewall. It doesn’t provide outbound protection. A third party firewall will.
A discussion on free firewalls can be found here.
Gonna have to do that at home tonight - I’m doing this at work for a friend and the PC is not connected to the net to do online scans so there will be a couple of days delay before I get to it - the wife has too much decorating for me at home to spend sat at the PC!!!
ESET scan attached as a jpeg as I do not know how to output a report file. Thanks.