Help with continuous infection please.

Viruses and worms
1

Hi, I’m a newbie here.

A few days ago I got warnings that Avast had detected to viruses (VBS:Malware-gen and Win32:Trojan-gen {Other}). I followed the advice an removed them both to the chest. Now, however, whenever I log in and my computer starts up there are always 2 or 3 viruses detected (all of which I move ot the chest as directed) - so far the list is at VBS:Malware-gen, Win32:Trojan-gen {Other} and Win32:Rootkit-gen [Rtk] which just appear over and over again. I have tried the Avast virus cleaner as well as scanning all files and running a boot time scan, all to no avail.

Aside from slowing my computer and replacing my desktop image with a blue screen, no other functions seem to be impaired (yet) but I’d love to get it sorted out.

Any help would be much appreciated. Thanks!

2

What’s your operating system?

I suggest you download HiJackThis and post a log here.

3

Do what Jaytaylor says
there is a stickie about HJT do NOT download to your desktop
In this case DO NOT FIX ANYTHING just post the scan here


respawning baddies are not good

have you tried a boot time scan with Avast? rt click the ball and update program
then rt click again and schedule and reboot

please run a MAlware bytes anti malware and ALSO Rogue Remove Scans
Click REMOVE ( a backup will be created
post the log

Can you get to “virus total” and upload the files in the Chest (not the system backup files- leave those ALONE)

4

Thanks for such speedy responses!

My operating system is Windows XP and I have tried running a boot time scan but it picks up nothing.

The log file from HJT is this:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:41:41 PM, on 8/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\system32\lphcntmj0e145.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AOL 7.0\aoltray.exe
C:\Program Files\Dell Network Assistant\ezi_hnm2.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\FinePixViewerS\QuickDCF2.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Program Files\HijackThis\HijackThis.exe

5

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com.au/ig/dell?hl=en&client=dell-row&channel=au
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.ap.dell.com/content/default.aspx?c=au&l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.ap.dell.com/content/default.aspx?c=au&l=en&s=gen
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com.au/ig/dell?hl=en&client=dell-row&channel=au
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://au.mcafee.com/root/redirects/support.asp?affid=105-68
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.6.14.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM..\Run: [IMJPMIG8.1] “C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM..\Run: [IntelZeroConfig] “C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe”
O4 - HKLM..\Run: [IntelWireless] “C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe” /tf Intel PROSet/Wireless
O4 - HKLM..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [DVDLauncher] “C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe”
O4 - HKLM..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM..\Run: [ISUSScheduler] “C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” -start
O4 - HKLM..\Run: [Google Desktop Search] “C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe” /startup
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
O4 - HKLM..\Run: [dscactivate] “C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe”
O4 - HKLM..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM..\Run: [lphcntmj0e145] C:\WINDOWS\system32\lphcntmj0e145.exe
O4 - HKCU..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [DellSupport] “C:\Program Files\DellSupport\DSAgnt.exe” /startup
O4 - HKCU..\Run: [DellSupportCenter] “C:\Program Files\Dell Support Center\bin\sprtcmd.exe” /P DellSupportCenter
O4 - HKCU..\Run: [updateMgr] “C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe” AcRdB7_0_9 -reboot 1
O4 - HKUS\S-1-5-18..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User ‘Default user’)
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
O4 - Global Startup: Dell Network Assistant.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Exif Launcher S.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\2000\Office\OSA9.EXE
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O24 - Desktop Component 1: MuggleNet’s Deathly Hallows/Order of the Phoenix Countdown - http://www.mugglenet.com/countdown/desktop-dhootp.html


End of file - 11524 bytes

Thanks again for the help.

6

First of all, your Java is out of date. Please uninstall the old version and install the latest here.

C:\WINDOWS\system32\lphcntmj0e145.exe

Second, upload this file above to VirusTotal and post the results.

I also need to see the avast! warning text.

7

Ceywood, as your Sun Java is way down level there could be other severely vulnerable versions of Sun Java on your system.

Go to Add/Remove Programs and un-install all versions of Sun Java.

Download then run JavaRa then run it to insure that the remnants are gone:
http://raproducts.org

Download MBAM then run it and do an Update to get its latest definitions then run a Quick scan and post its results here:
http://www.malwarebytes.org/mbam.php

Then run Secunia: Online Software Inspector to find out what other applications are installed that have vulnerabilities:
http://secunia.com/software_inspector

You will find that you need to download and install Windows Service Pack 3.

8

Thanks you two.

I’ve removed all out of date Java and am currently installing the latest version.

Jtaylor 83 the results of uploading that file to VirusTotal are as follows:

File lphcv24j0e184.exe.vir received on 08.24.2008 16:51:43 (CET)
Current status: finished
Result: 20/36 (55.56%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
AhnLab-V3 2008.8.21.0 2008.08.22 -
AntiVir 7.8.1.23 2008.08.23 BDS/Agent.pjv
Authentium 5.1.0.4 2008.08.24 -
Avast 4.8.1195.0 2008.08.23 -
AVG 8.0.0.161 2008.08.24 SHeur.CDRG
BitDefender 7.2 2008.08.24 Trojan.FakeAlert.Gen.1
CAT-QuickHeal 9.50 2008.08.22 Backdoor.Agent.pjv
ClamAV 0.93.1 2008.08.24 -
DrWeb 4.44.0.09170 2008.08.24 Trojan.Packed.569
eSafe 7.0.17.0 2008.08.24 Suspicious File
eTrust-Vet 31.6.6044 2008.08.23 -
Ewido 4.0 2008.08.24 -
F-Prot 4.4.4.56 2008.08.24 -
F-Secure 7.60.13501.0 2008.08.24 Backdoor.Win32.Agent.pjv
Fortinet 3.14.0.0 2008.08.24 W32/Agent.PJV!tr.bdr
GData 2.0.7306.1023 2008.08.20 Backdoor.Win32.Agent.pjv
Ikarus T3.1.1.34.0 2008.08.24 Backdoor.Win32.Agent.pjv
K7AntiVirus 7.10.427 2008.08.23 -
Kaspersky 7.0.0.125 2008.08.24 Backdoor.Win32.Agent.pjv
McAfee 5368 2008.08.22 Generic FakeAlert.a
Microsoft 1.3807 2008.08.24 Program:Win32/XPAntiVirus
NOD32v2 3382 2008.08.23 -
Norman 5.80.02 2008.08.22 -
Panda 9.0.0.4 2008.08.24 Adware/XPSecurityCenter
PCTools 4.4.2.0 2008.08.24 -
Prevx1 V2 2008.08.24 Malicious Software
Rising 20.58.62.00 2008.08.24 -
Sophos 4.32.0 2008.08.24 Mal/EncPk-CZ
Sunbelt 3.1.1575.1 2008.08.23 -
Symantec 10 2008.08.24 Trojan.Blusod
TheHacker 6.3.0.6.060 2008.08.23 -
TrendMicro 8.700.0.1004 2008.08.23 -
VBA32 3.12.8.4 2008.08.23 suspected of Malware-Cryptor.Win32.General.2
ViRobot 2008.8.22.1346 2008.08.22 Backdoor.Win32.Agent.121344.C
VirusBuster 4.5.11.0 2008.08.24 -
Webwasher-Gateway 6.6.2 2008.08.24 Trojan.Backdoor.Agent.pjv

Did you need the Additional Info as well?

9

The Avast warnings logfile -

8/20/2008 11:23:24 PM 1219240404 SYSTEM 1796 Sign of “VBS:Malware-gen” has been found in “C:\Documents and Settings\Ceywood\Local Settings\Temp.tt80.tmp.vbs” file.
8/20/2008 11:23:45 PM 1219240425 SYSTEM 1796 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\WINDOWS\system32\blphcntmj0e145.scr” file.
8/21/2008 8:02:55 AM 1219271575 SYSTEM 1808 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
8/21/2008 8:02:56 AM 1219271576 SYSTEM 1808 An error has occured while attempting to update. Please check the logs.
8/21/2008 8:05:30 AM 1219271730 SYSTEM 1808 Sign of “VBS:Malware-gen” has been found in “C:\Documents and Settings\Ceywood\Local Settings\Temp.tt2C.tmp.vbs” file.
8/21/2008 8:06:42 AM 1219271802 SYSTEM 1808 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\WINDOWS\system32\blphcntmj0e145.scr” file.
8/22/2008 7:59:18 AM 1219357758 Ceywood 1804 Sign of “VBS:Malware-gen” has been found in “C:\Documents and Settings\Ceywood\Local Settings\Temp.tt2D.tmp.vbs” file.
8/22/2008 8:01:22 AM 1219357882 Ceywood 1804 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\WINDOWS\system32\blphcntmj0e145.scr” file.
8/22/2008 8:02:04 AM 1219357924 Ceywood 1804 Sign of “Win32:Rootkit-gen [Rtk]” has been found in “C:\WINDOWS\system32\sysrest.sys” file.
8/22/2008 8:48:13 PM 1219403893 Ceywood 1808 Sign of “VBS:Malware-gen” has been found in “C:\Documents and Settings\Ceywood\Local Settings\Temp.tt1C.tmp.vbs” file.
8/22/2008 8:48:19 PM 1219403899 Ceywood 1808 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\WINDOWS\system32\blphcntmj0e145.scr” file.
8/22/2008 8:48:43 PM 1219403923 Ceywood 1808 Sign of “VBS:Malware-gen” has been found in “C:\Documents and Settings\Ceywood\Local Settings\Temp.tt1C.tmp.vbs” file.
8/22/2008 8:49:59 PM 1219403999 Ceywood 1808 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
8/22/2008 8:50:00 PM 1219404000 Ceywood 1808 An error has occured while attempting to update. Please check the logs.
8/22/2008 8:53:30 PM 1219404210 Ceywood 1808 Sign of “Win32:Rootkit-gen [Rtk]” has been found in “C:\WINDOWS\system32\sysrest.sys” file.
8/22/2008 10:22:03 PM 1219409523 Ceywood 1224 Sign of “VBS:Malware-gen” has been found in “C:\Documents and Settings\Ceywood\Local Settings\Temp.ttE.tmp.vbs” file.
8/22/2008 10:22:46 PM 1219409566 Ceywood 1224 Sign of “Win32:Rootkit-gen [Rtk]” has been found in “C:\WINDOWS\system32\sysrest.sys” file.
8/22/2008 10:23:17 PM 1219409597 Ceywood 1224 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\WINDOWS\system32\blphcntmj0e145.scr” file.
8/24/2008 10:18:18 AM 1219538898 Ceywood 1824 Sign of “VBS:Malware-gen” has been found in “C:\Documents and Settings\Ceywood\Local Settings\Temp.tt1D.tmp.vbs” file.
8/24/2008 10:21:24 AM 1219539084 Ceywood 1824 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\WINDOWS\system32\blphcntmj0e145.scr” file.
8/24/2008 10:23:42 AM 1219539222 Ceywood 1824 Sign of “Win32:Rootkit-gen [Rtk]” has been found in “C:\WINDOWS\system32\sysrest.sys” file.
8/24/2008 5:30:56 PM 1219564856 Ceywood 1812 Sign of “Win32:Rootkit-gen [Rtk]” has been found in “C:\WINDOWS\system32\sysrest32.exe” file.
8/24/2008 5:32:08 PM 1219564928 Ceywood 1812 Sign of “VBS:Malware-gen” has been found in “C:\Documents and Settings\Ceywood\Local Settings\Temp.tt1B.tmp.vbs” file.
8/24/2008 5:32:22 PM 1219564942 Ceywood 1812 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\WINDOWS\system32\blphcntmj0e145.scr” file.
8/24/2008 5:32:49 PM 1219564969 Ceywood 1812 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
8/24/2008 5:32:54 PM 1219564974 Ceywood 1812 An error has occured while attempting to update. Please check the logs.
8/24/2008 5:38:18 PM 1219565298 Ceywood 1812 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\Ceywood\Local Settings\Temp.tt6A.tmp” file.
8/24/2008 5:48:43 PM 1219565923 Ceywood 1812 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\Ceywood\Local Settings\Temp.tt74.tmp” file.
8/24/2008 5:51:30 PM 1219566090 Ceywood 1804 Sign of “VBS:Malware-gen” has been found in “C:\Documents and Settings\Ceywood\Local Settings\Temp.ttF.tmp.vbs” file.
8/24/2008 5:51:47 PM 1219566107 Ceywood 1804 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\WINDOWS\system32\blphcntmj0e145.scr” file.
8/24/2008 5:52:10 PM 1219566130 Ceywood 1804 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\Ceywood\Local Settings\Temp.tt14.tmp” file.
8/24/2008 6:03:15 PM 1219566795 Ceywood 1804 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\Ceywood\Local Settings\Temp.tt6F.tmp” file.
8/25/2008 11:16:31 AM 1219628791 SYSTEM 1804 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
8/25/2008 11:16:31 AM 1219628791 SYSTEM 1804 An error has occured while attempting to update. Please check the logs.
8/25/2008 11:18:58 AM 1219628938 SYSTEM 1804 Sign of “VBS:Malware-gen” has been found in “C:\Documents and Settings\Ceywood\Local Settings\Temp.tt2E.tmp.vbs” file.
8/25/2008 11:19:58 AM 1219628998 SYSTEM 1804 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\WINDOWS\system32\blphcntmj0e145.scr” file.
8/25/2008 11:20:22 AM 1219629022 SYSTEM 1804 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\Ceywood\Local Settings\Temp.tt57.tmp” file.
8/25/2008 11:30:47 AM 1219629647 SYSTEM 1804 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\Ceywood\Local Settings\Temp.tt6C.tmp” file.
8/25/2008 11:41:05 AM 1219630265 SYSTEM 1804 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\Ceywood\Local Settings\Temp.tt71.tmp” file.
8/25/2008 11:51:27 AM 1219630887 SYSTEM 1804 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\Ceywood\Local Settings\Temp.tt7C.tmp” file.
8/25/2008 12:01:39 PM 1219631499 SYSTEM 1804 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\Ceywood\Local Settings\Temp.tt8A.tmp” file.
8/25/2008 12:11:55 PM 1219632115 SYSTEM 1804 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\Ceywood\Local Settings\Temp.tt95.tmp” file.
8/25/2008 12:22:14 PM 1219632734 SYSTEM 1804 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\Ceywood\Local Settings\Temp.ttC7.tmp” file.

I’ll post the other info when I’ve downloaded and run your suggestions YoKenny.
Thanks!

10

Hello Ceywood

In the meantime can you please Email
C:\WINDOWS\system32\lphcntmj0e145.exe file to Virus@avast.com in a pasword protected Zip file
with the topic being “Virus” and the password being in the email body and please post a link to this topic in the email as well to help improve Avast! detections
thanks

-Justin

11

MBAM log:

Malwarebytes’ Anti-Malware 1.25
Database version: 1086
Windows 5.1.2600 Service Pack 2

3:05:17 PM 8/25/2008
mbam-log-08-25-2008 (15-05-05).txt

Scan type: Full Scan (C:|D:|)
Objects scanned: 96447
Time elapsed: 34 minute(s), 29 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 5
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
C:\WINDOWS\system32\lphcntmj0e145.exe (Trojan.FakeAlert) → No action taken.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) → No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphcntmj0e145 (Trojan.FakeAlert) → No action taken.
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) → No action taken.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) → No action taken.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) → No action taken.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) → No action taken.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) → Bad: (1) Good: (0) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) → Bad: (1) Good: (0) → No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Ceywood\Local Settings\Temp.ttE.tmp (Trojan.Downloader) → No action taken.
C:\Documents and Settings\Ceywood\Local Settings\Temp.ttF.tmp (Trojan.Downloader) → No action taken.
C:\WINDOWS\system32\lphcntmj0e145.exe (Trojan.FakeAlert) → No action taken.
C:\WINDOWS\system32\phcntmj0e145.bmp (Trojan.FakeAlert) → No action taken.

12

Looks like a disk cleanup is needed.

I suggest:

ATF-Cleaner
CCleaner (slim version only)

I also prefer SuperAntiSpyware Free Version. It’s best to quarantine than to delete the infection.

13

re run the Malware bytes program and click
REMOVE a backup will be made so not to worry
post the new log

then as suggested download, update and run superantispyware
post the log
it is a great companion to MBAM

keep both around as on demand scanners
as some new infections screw up your internet connection keep both reasonably up to date

post up a new HJT

keep this YoKenny suggestion on your “to do” list when the malware is gone
“Then run Secunia: Online Software Inspector to find out what other applications are installed that have vulnerabilities:
http://secunia.com/software_inspector

question
when running avast did you remove/delete or move to chest? I gotta go or I’d look

14

Ran Malware bytes again, log below:

Malwarebytes’ Anti-Malware 1.25
Database version: 1086
Windows 5.1.2600 Service Pack 2

10:36:40 PM 8/26/2008
mbam-log-08-26-2008 (22-36-40).txt

Scan type: Full Scan (C:|D:|)
Objects scanned: 95591
Time elapsed: 44 minute(s), 21 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 5
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
C:\WINDOWS\system32\lphcntmj0e145.exe (Trojan.FakeAlert) → Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) → Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphcntmj0e145 (Trojan.FakeAlert) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) → Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) → Bad: (1) Good: (0) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) → Bad: (1) Good: (0) → Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Ceywood\Local Settings\Temp.ttD.tmp (Trojan.Downloader) → Quarantined and deleted successfully.
C:\Documents and Settings\Ceywood\Local Settings\Temp.ttE.tmp (Trojan.Downloader) → Quarantined and deleted successfully.
C:\Documents and Settings\Ceywood\Local Settings\Temp.ttF.tmp (Trojan.Downloader) → Quarantined and deleted successfully.
C:\WINDOWS\system32\lphcntmj0e145.exe (Trojan.FakeAlert) → Quarantined and deleted successfully.
C:\WINDOWS\system32\phcntmj0e145.bmp (Trojan.FakeAlert) → Quarantined and deleted successfully.

Currently running SUPERAntiSpyware scan…

AND no more viruses have been detected in the meantime!!! THANK YOU ALL!!

15

Nope, spoke too soon - this warning just came up:

8/26/2008 10:57:37 PM 1219757257 SYSTEM 1840 Sign of “Win32:Rootkit-gen [Rtk]” has been found in “C:\SYSTEM VOLUME INFORMATION_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP191\A0050520.EXE” file.

Now the SUPERAntiSpyware log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/26/2008 at 11:08 PM

Application Version : 4.20.1046

Core Rules Database Version : 3548
Trace Rules Database Version: 1536

Scan type : Complete Scan
Total Scan Time : 00:28:33

Memory items scanned : 633
Memory threats detected : 0
Registry items scanned : 5568
Registry threats detected : 0
File items scanned : 18369
File threats detected : 309

Adware.Tracking Cookie
.imrworldwide.com [ C:\Documents and Settings\Ceywood\Application Data\Mozilla\Firefox\Profiles\3709tul1.default\cookies.txt ]
.fastclick.net [ C:\Documents and Settings\Ceywood\Application Data\Mozilla\Firefox\Profiles\3709tul1.default\cookies.txt ]
.fastclick.net [ C:\Documents and Settings\Ceywood\Application Data\Mozilla\Firefox\Profiles\3709tul1.default\cookies.txt ]
.fastclick.net [ C:\Documents and Settings\Ceywood\Application Data\Mozilla\Firefox\Profiles\3709tul1.default\cookies.txt ]
.fastclick.net [ C:\Documents and Settings\Ceywood\Application Data\Mozilla\Firefox\Profiles\3709tul1.default\cookies.txt ]
.fastclick.net [ C:\Documents and Settings\Ceywood\Application Data\Mozilla\Firefox\Profiles\3709tul1.default\cookies.txt ]
.fastclick.net [ C:\Documents and Settings\Ceywood\Application Data\Mozilla\Firefox\Profiles\3709tul1.default\cookies.txt ]
.imrworldwide.com [ C:\Documents and Settings\Ceywood\Application Data\Mozilla\Firefox\Profiles\3709tul1.default\cookies.txt ]
.doubleclick.net [ C:\Documents and Settings\Ceywood\Application Data\Mozilla\Firefox\Profiles\3709tul1.default\cookies.txt ]
.casalemedia.com [ C:\Documents and Settings\Ceywood\Application Data\Mozilla\Firefox\Profiles\3709tul1.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\Ceywood\Application Data\Mozilla\Firefox\Profiles\3709tul1.default\cookies.txt ]
.casalemedia.com [ C:\Documents and Settings\Ceywood\Application Data\Mozilla\Firefox\Profiles\3709tul1.default\cookies.txt ]
.casalemedia.com [ C:\Documents and Settings\Ceywood\Application Data\Mozilla\Firefox\Profiles\3709tul1.default\cookies.txt ]
.casalemedia.com [ C:\Documents and Settings\Ceywood\Application Data\Mozilla\Firefox\Profiles\3709tul1.default\cookies.txt ]
.casalemedia.com [ C:\Documents and Settings\Ceywood\Application Data\Mozilla\Firefox\Profiles\3709tul1.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\Ceywood\Application Data\Mozilla\Firefox\Profiles\3709tul1.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\Ceywood\Application Data\Mozilla\Firefox\Profiles\3709tul1.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\Ceywood\Application Data\Mozilla\Firefox\Profiles\3709tul1.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\Ceywood\Application Data\Mozilla\Firefox\Profiles\3709tul1.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\Ceywood\Application Data\Mozilla\Firefox\Profiles\3709tul1.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\Ceywood\Application Data\Mozilla\Firefox\Profiles\3709tul1.default\cookies.txt ]
.casalemedia.com [ C:\Documents and Settings\Ceywood\Application Data\Mozilla\Firefox\Profiles\3709tul1.default\cookies.txt ]
.casalemedia.com [ C:\Documents and Settings\Ceywood\Application Data\Mozilla\Firefox\Profiles\3709tul1.default\cookies.txt ]
.casalemedia.com [ C:\Documents and Settings\Ceywood\Application Data\Mozilla\Firefox\Profiles\3709tul1.default\cookies.txt ]
.casalemedia.com [ C:\Documents and Settings\Ceywood\Application Data\Mozilla\Firefox\Profiles\3709tul1.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Ceywood\Application Data\Mozilla\Firefox\Profiles\3709tul1.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Ceywood\Application Data\Mozilla\Firefox\Profiles\3709tul1.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Ceywood\Application Data\Mozilla\Firefox\Profiles\3709tul1.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Ceywood\Application Data\Mozilla\Firefox\Profiles\3709tul1.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Ceywood\Application Data\Mozilla\Firefox\Profiles\3709tul1.default\cookies.txt ]
.adrevolver.com [ C:\Documents and Settings\Ceywood\Application Data\Mozilla\Firefox\Profiles\3709tul1.default\cookies.txt ]
.adrevolver.com [ C:\Documents and Settings\Ceywood\Application Data\Mozilla\Firefox\Profiles\3709tul1.default\cookies.txt ]
.adrevolver.com [ C:\Documents and Settings\Ceywood\Application Data\Mozilla\Firefox\Profiles\3709tul1.default\cookies.txt ]
.adrevolver.com [ C:\Documents and Settings\Ceywood\Application Data\Mozilla\Firefox\Profiles\3709tul1.default\cookies.txt ]
.adrevolver.com [ C:\Documents and Settings\Ceywood\Application Data\Mozilla\Firefox\Profiles\3709tul1.default\cookies.txt ]

16

REALLY long - attached.

17

Finally, ran HJT again:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:22:26 PM, on 8/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\AOL 7.0\aoltray.exe
C:\Program Files\Dell Network Assistant\ezi_hnm2.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\FinePixViewerS\QuickDCF2.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

18

Cont.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com.au/ig/dell?hl=en&client=dell-row&channel=au
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.ap.dell.com/content/default.aspx?c=au&l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.ap.dell.com/content/default.aspx?c=au&l=en&s=gen
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com.au/ig/dell?hl=en&client=dell-row&channel=au
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://au.mcafee.com/root/redirects/support.asp?affid=105-68
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.6.14.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM..\Run: [IMJPMIG8.1] “C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM..\Run: [IntelZeroConfig] “C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe”
O4 - HKLM..\Run: [IntelWireless] “C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe” /tf Intel PROSet/Wireless
O4 - HKLM..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [DVDLauncher] “C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe”
O4 - HKLM..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM..\Run: [ISUSScheduler] “C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” -start
O4 - HKLM..\Run: [Google Desktop Search] “C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe” /startup
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
O4 - HKLM..\Run: [dscactivate] “C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe”
O4 - HKLM..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe”
O4 - HKCU..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [DellSupport] “C:\Program Files\DellSupport\DSAgnt.exe” /startup
O4 - HKCU..\Run: [DellSupportCenter] “C:\Program Files\Dell Support Center\bin\sprtcmd.exe” /P DellSupportCenter
O4 - HKCU..\Run: [updateMgr] “C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe” AcRdB7_0_9 -reboot 1
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User ‘Default user’)
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
O4 - Global Startup: Dell Network Assistant.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Exif Launcher S.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\2000\Office\OSA9.EXE
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O24 - Desktop Component 1: MuggleNet’s Deathly Hallows/Order of the Phoenix Countdown - http://www.mugglenet.com/countdown/desktop-dhootp.html


End of file - 11597 bytes