jkrudy's BHO

Viruses and worms
1

Hi welcome to the forum.

Please run the programs in the order I poted them.

Download and run this clean up utility. You can use it regularly. When it’s first run, it is in demo mode to show you what it will remove. Review it and then rerun in real mode. It is configurable.

CleanUp

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix’s window while its running. That may cause it to stall.

.
Click here to download HJTsetup.exe

[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

2

Thank you for setting this up for me. One question. I’ve been told to run anti-virus software while in Safemode. Do you want me to run these in safemode or just after a regular boot up or does it matter?

3

Run them from normal windows please.

4

Here is the combofix log. Give me a minute to run hijackthis:

ComboFix 08-01-09.2 - Sandy Rudy 2008-01-08 18:06:05.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1544 [GMT -7:00]
Running from: C:\Install\ComboFix.exe

  • Created a new restore point
    .

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\cdfvie.dll
C:\WINDOWS\system32\drivers\baamhrba.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_FKORGGKC
-------\fkorggkc

((((((((((((((((((((((((( Files Created from 2007-12-09 to 2008-01-09 )))))))))))))))))))))))))))))))
.

2008-01-08 18:05 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-07 22:07 . 2008-01-07 22:07 2,126 --a------ C:\WINDOWS\system32\wpa.dbl
2008-01-07 19:07 . 2008-01-07 22:48 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-01 16:29 . 2008-01-01 16:29 d-------- C:\VundoFix Backups
2007-12-28 20:53 . 2008-01-01 19:54 356,352 --a------ C:\Documents and Settings\Sandy Rudy\cwshredder.dll
2007-12-26 20:22 . 2005-09-15 03:15 860,160 -ra------ C:\WINDOWS\system32\mcs_dec2.ax
2007-12-26 20:22 . 2005-08-22 04:11 700,416 -ra------ C:\WINDOWS\system32\mcs_cor1.dll
2007-12-26 20:22 . 2005-11-08 22:05 282,624 -ra------ C:\WINDOWS\Uninstall.exe
2007-12-26 20:22 . 2005-09-15 01:16 249,856 -ra------ C:\WINDOWS\system32\mcs_cor2.dll
2007-12-26 20:22 . 2005-08-22 04:12 147,456 -ra------ C:\WINDOWS\system32\mcs_vfw.dll
2007-12-26 20:22 . 2005-11-03 16:29 72,832 -ra------ C:\WINDOWS\system32\drivers\CamAvb.sys
2007-12-26 20:22 . 2005-12-16 01:53 58,624 -ra------ C:\WINDOWS\system32\drivers\CamAv.sys
2007-12-26 20:22 . 2004-12-28 03:19 57,344 -ra------ C:\WINDOWS\HAJEInstall.dll
2007-12-26 20:22 . 2005-07-19 17:23 11,648 -ra------ C:\WINDOWS\system32\drivers\CamFlt.sys
2007-12-26 20:22 . 2005-08-22 04:13 4,385 -ra------ C:\WINDOWS\system32\install.inf
2007-12-23 17:32 . 2007-12-23 17:32 d-------- C:\Program Files\InterMute
2007-12-23 17:32 . 2007-12-23 17:32 2,158 --a------ C:\WINDOWS\system32\ssmute.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-27 03:24 --------- d-----w C:\Program Files\QuickTime
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-11-30 04:42 --------- d-----w C:\Program Files\MySpace
2007-11-30 04:42 --------- d-----w C:\Documents and Settings\Sandy Rudy\Application Data\MySpace
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-13 03:35 --------- d-----w C:\Program Files\Dl_cats
2005-11-03 23:29 72,832 ----a-r C:\WINDOWS\inf\CamAvb.sys
2007-01-09 02:02 88 --sh–r C:\WINDOWS\system32\BB92974E4C.sys
2007-01-09 02:03 2,828 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ModemOnHold”=“C:\Program Files\NetWaiting\netWaiting.exe” [2003-09-10 01:24 20480]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-10 04:00 15360]
“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-10-13 09:24 1694208]
“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2007-08-14 15:31 68856]
“SpybotSD TeaTimer”=“C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe” [2007-08-31 16:46 1460560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ehTray”=“C:\WINDOWS\ehome\ehtray.exe” [2005-09-29 13:01 67584]
“igfxtray”=“C:\WINDOWS\system32\igfxtray.exe” [2005-12-13 22:44 98304]
“igfxhkcmd”=“C:\WINDOWS\system32\hkcmd.exe” [2005-12-13 22:41 77824]
“igfxpers”=“C:\WINDOWS\system32\igfxpers.exe” [2005-12-13 22:45 118784]
“IntelZeroConfig”=“C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe” [2006-05-01 08:28 667718]
“IntelWireless”=“C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe” [2006-05-01 08:28 602182]
“SigmatelSysTrayApp”=“stsystra.exe” [2006-03-24 22:30 282624 C:\WINDOWS\stsystra.exe]
“SynTPEnh”=“C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [2006-03-08 17:48 761947]
“dla”=“C:\WINDOWS\system32\dla\tfswctrl.exe” [2004-12-06 00:05 127035]
“ISUSPM Startup”=“C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe” [2004-07-27 15:50 221184]
“ISUSScheduler”=“C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” [2004-07-27 15:50 81920]
“Google Desktop Search”=“C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe” [2007-01-01 08:05 236544]
“PCMService”=“C:\Program Files\Dell\MediaDirect\PCMService.exe” [2006-08-22 14:32 184320]
“Device Detector”=“DevDetect.exe”
“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2007-01-01 08:03 98304]
“dlcimon.exe”=“C:\Program Files\Dell AIO Printer 946\dlcimon.exe” [2006-02-14 02:26 430080]
“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 10:50 155648]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 06:00 79224]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 21:07:32]
SpySubtract.lnk - C:\Program Files\InterMute\SpySubtract\SpySub.exe [2007-12-23 17:32:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
“InstallVisualStyle”= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
“InstallTheme”= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
“{FA010552-4A27-4cb1-A1BB-3E2D697F1639}”= c:\Program Files\InterMute\SpySubtract\sshook.dll [2007-12-23 17:32 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
“AppInit_DLLs”=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

R3 dlci_device;dlci_device;C:\WINDOWS\system32\dlcicoms.exe [2006-05-11 14:22]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-08 18:11:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

.
Completion time: 2008-01-08 18:13:46 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-09 01:13:44

5

HiJackthis Log:

Logfile of HijackThis v1.98.2
Scan saved at 6:18:47 PM, on 1/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell AIO Printer 946\dlcimon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\dlcicoms.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Sandy Rudy\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3070101
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM..\Run: [IntelZeroConfig] “C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe”
O4 - HKLM..\Run: [IntelWireless] “C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe” /tf Intel PROSet/Wireless
O4 - HKLM..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM..\Run: [ISUSScheduler] “C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” -start
O4 - HKLM..\Run: [Google Desktop Search] “C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe” /startup
O4 - HKLM..\Run: [PCMService] “C:\Program Files\Dell\MediaDirect\PCMService.exe”
O4 - HKLM..\Run: [Device Detector] DevDetect.exe -autorun
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [dlcimon.exe] “C:\Program Files\Dell AIO Printer 946\dlcimon.exe”
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.winkflash.com/photo/loaders/ImageUploader4.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

6

Is there a last part to the HJT log?

Do you remember the name of the file avast detected?

7

That was the entire HJT logfile.

Win32:BHO-KD [trg] was the virus, it said it was infecting C:\WINDOWS\System32\cmdvie.dll

I reran HJT and got the same results as posted earlier.

8

Ok, it’s strange, there usually are 023 lines.

I’ll look with a different scanner.

BTW cmdvie died :wink: ;D

Please download Deckard’s System Scanner (DSS) and save it to your Desktop.
[*]Close all other windows before proceeding.
[*]Double-click on dss.exe and follow the prompts.
[*]When it has finished, dss will open two Notepads main.txt and extra.txt – please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt in your next reply.

9

Run by Sandy Rudy on 2008-01-08 19:15:23
Computer is in Normal Mode.

– System Restore --------------------------------------------------------------

Successfully created a Deckard’s System Scanner Restore Point.

– Last 5 Restore Point(s) –
7: 2008-01-09 02:15:29 UTC - RP7 - Deckard’s System Scanner Restore Point
6: 2008-01-09 01:05:41 UTC - RP6 - ComboFix created restore point
5: 2007-12-30 17:20:44 UTC - RP5 - System Checkpoint
4: 2007-12-22 19:45:17 UTC - RP4 - Software Distribution Service 3.0
3: 2007-12-14 22:50:36 UTC - RP3 - System Checkpoint

– First Restore Point –
1: 2007-12-08 04:27:52 UTC - RP1 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

– HijackThis (run as Sandy Rudy.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:17:33 PM, on 1/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell AIO Printer 946\dlcimon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\dlcicoms.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Install\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Sandy Rudy.exe

10

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3070101
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM..\Run: [IntelZeroConfig] “C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe”
O4 - HKLM..\Run: [IntelWireless] “C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe” /tf Intel PROSet/Wireless
O4 - HKLM..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM..\Run: [ISUSScheduler] “C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” -start
O4 - HKLM..\Run: [Google Desktop Search] “C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe” /startup
O4 - HKLM..\Run: [PCMService] “C:\Program Files\Dell\MediaDirect\PCMService.exe”
O4 - HKLM..\Run: [Device Detector] DevDetect.exe -autorun
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [dlcimon.exe] “C:\Program Files\Dell AIO Printer 946\dlcimon.exe”
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.winkflash.com/photo/loaders/ImageUploader4.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: dlci_device - - C:\WINDOWS\system32\dlcicoms.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe


End of file - 8655 bytes

11

– File Associations -----------------------------------------------------------

All associations okay.

– Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Inc; OMCI Driver>
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.4.10.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.4.10.0>
R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>

S3 catchme - c:\docume~1\sandyr~1\locals~1\temp\catchme.sys (file missing)
S3 DSproct - c:\program files\dell support\gtaction\triggers\dsproct.sys <Not Verified; GTek Technologies Ltd.; processt>
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)

– Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 RegSrvc (Intel(R) PROSet/Wireless Registry Service) - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; Intel(R) PROSet/Wireless Registry Service>
R2 WLANKEEPER (Intel(R) PROSet/Wireless SSO Service) - c:\program files\intel\wireless\bin\wlkeeper.exe <Not Verified; Intel(R) Corporation; SSO Service>

– Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

– Files created between 2007-12-08 and 2008-01-08 -----------------------------

2008-01-07 22:08:05 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-01-07 19:07:03 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-01 18:59:41 0 d-------- C:!KillBox
2008-01-01 16:29:32 0 d-------- C:\VundoFix Backups
2007-12-28 20:53:27 356352 --a------ C:\Documents and Settings\Sandy Rudy\cwshredder.dll <Not Verified; Trend Micro Incorporated; Anti-Spyware Engine>
2007-12-26 20:22:56 147456 -ra------ C:\WINDOWS\system32\mcs_vfw.dll
2007-12-26 20:22:56 249856 -ra------ C:\WINDOWS\system32\mcs_cor2.dll
2007-12-26 20:22:56 700416 -ra------ C:\WINDOWS\system32\mcs_cor1.dll
2007-12-26 20:22:40 282624 -ra------ C:\WINDOWS\Uninstall.exe <Not Verified; ; Uninstall ?? ???>
2007-12-26 20:22:40 11648 -ra------ C:\WINDOWS\system32\drivers\CamFlt.sys <Not Verified; Samsung electronics, Inc; Samsung electronics, Inc>
2007-12-26 20:22:40 72832 -ra------ C:\WINDOWS\system32\drivers\CamAvb.sys <Not Verified; Samsung Inc.; Samsung Digial Video Camera>
2007-12-26 20:22:40 58624 -ra------ C:\WINDOWS\system32\drivers\CamAv.sys <Not Verified; Samsung electronics, Inc; Samsung electronics, Inc>
2007-12-26 20:22:40 57344 -ra------ C:\WINDOWS\HAJEInstall.dll
2007-12-23 17:32:03 0 d-------- C:\Program Files\InterMute
2007-12-08 11:44:47 0 d-------- C:\WINDOWS\pss

– Find3M Report ---------------------------------------------------------------

2008-01-08 19:17:21 0 d-------- C:\Program Files\Trend Micro
2008-01-08 17:57:00 1466864 --a------ C:\Documents and Settings\Sandy Rudy\Application Data\CleanUp!.log
2007-12-26 20:24:33 0 d-------- C:\Program Files\QuickTime
2007-11-29 21:42:07 0 d-------- C:\Documents and Settings\Sandy Rudy\Application Data\MySpace
2007-11-29 21:42:03 0 d-------- C:\Program Files\MySpace
2007-11-12 20:35:10 0 d-------- C:\Program Files\Dl_cats

– Registry Dump ---------------------------------------------------------------

Note empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ehTray”=“C:\WINDOWS\ehome\ehtray.exe” [09/29/2005 01:01 PM]
“igfxtray”=“C:\WINDOWS\system32\igfxtray.exe” [12/13/2005 10:44 PM]
“igfxhkcmd”=“C:\WINDOWS\system32\hkcmd.exe” [12/13/2005 10:41 PM]
“igfxpers”=“C:\WINDOWS\system32\igfxpers.exe” [12/13/2005 10:45 PM]
“IntelZeroConfig”=“C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe” [05/01/2006 08:28 AM]
“IntelWireless”=“C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe” [05/01/2006 08:28 AM]
“SigmatelSysTrayApp”=“stsystra.exe” [03/24/2006 10:30 PM C:\WINDOWS\stsystra.exe]
“SynTPEnh”=“C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [03/08/2006 05:48 PM]
“dla”=“C:\WINDOWS\system32\dla\tfswctrl.exe” [12/06/2004 12:05 AM]
“ISUSPM Startup”=“C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe” [07/27/2004 03:50 PM]
“ISUSScheduler”=“C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” [07/27/2004 03:50 PM]
“Google Desktop Search”=“C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe” [01/01/2007 08:05 AM]
“PCMService”=“C:\Program Files\Dell\MediaDirect\PCMService.exe” [08/22/2006 02:32 PM]
“Device Detector”=“DevDetect.exe”
“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [01/01/2007 08:03 AM]
“dlcimon.exe”=“C:\Program Files\Dell AIO Printer 946\dlcimon.exe” [02/14/2006 02:26 AM]
“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [07/09/2001 10:50 AM]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [12/04/2007 06:00 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ModemOnHold”=“C:\Program Files\NetWaiting\netWaiting.exe” [09/10/2003 01:24 AM]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [08/10/2004 04:00 AM]
“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [10/13/2004 09:24 AM]
“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [08/14/2007 03:31 PM]
“SpybotSD TeaTimer”=“C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe” [08/31/2007 04:46 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 9:05:26 PM]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [5/3/2005 9:07:32 PM]
SpySubtract.lnk - C:\Program Files\InterMute\SpySubtract\SpySub.exe [12/23/2007 5:32:04 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
“InstallVisualStyle”=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
“InstallTheme”=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
“{FA010552-4A27-4cb1-A1BB-3E2D697F1639}”= c:\Program Files\InterMute\SpySubtract\sshook.dll [12/23/2007 05:32 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
“appinit_dlls”=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe

– End of Deckard’s System Scanner: finished at 2008-01-08 19:18:04 ------------

12

Deckard’s System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.

– System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Genuine Intel(R) CPU T2050 @ 1.60GHz
CPU 1: Genuine Intel(R) CPU T2050 @ 1.60GHz
Percentage of Memory in Use: 25%
Physical Memory (total/avail): 2038.37 MiB / 1523.5 MiB
Pagefile Memory (total/avail): 4933.19 MiB / 4544.47 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1930.68 MiB

C: is Fixed (NTFS) - 142.36 GiB total, 69.06 GiB free.
D: is CDROM (UDF)

\.\PHYSICALDRIVE0 - Hitachi HTS541616J9SA00 - 149.05 GiB - 4 partitions
\PARTITION0 - Unknown - 47.03 MiB
\PARTITION1 (bootable) - Installable File System - 142.36 GiB - C:
\PARTITION2 - Extended w/Extended Int 13 - 2047.35 MiB
\PARTITION3 - Unknown - 4.64 GiB

– Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: avast! antivirus 4.7.1098 [VPS 080108-0] v4.7.1098 (ALWIL Software)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

– Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Sandy Rudy\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=S1LAPTOP
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Sandy Rudy
LOGONSERVER=\S1LAPTOP
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Program Files\Internet Explorer;;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Microsoft SQL Server\80\Tools\Binn"
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 14 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0e08
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SonicCentral=C:\Program Files\Common Files\Sonic Shared\Sonic Central
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\SANDYR~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\SANDYR~1\LOCALS~1\Temp
USERDOMAIN=S1LAPTOP
USERNAME=Sandy Rudy
USERPROFILE=C:\Documents and Settings\Sandy Rudy
windir=C:\WINDOWS

13

– User Profiles ---------------------------------------------------------------

Sandy Rudy I[/I]
Administrator I[/I]

– Add/Remove Programs ---------------------------------------------------------

→ C:\WINDOWS\system32\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
→ C:\WINDOWS\system32\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
→ C:\WINDOWS\system32\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
→ C:\WINDOWS\system32\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
→ rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ABBYY FineReader 6.0 Sprint → MsiExec.exe /X{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}
ACDSee Pro → MsiExec.exe /I{F99F74B4-972B-4B06-B893-6B3B0DB0128B}
Actiontec Gateway → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{9692FD03-6662-4E62-B08C-30DFF51651E1}\setup.exe” -l0x9
Adobe Flash Player 9 ActiveX → C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Reader 7.0.8 → MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70800000002}
Adobe Shockwave Player → C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
AOLIcon → MsiExec.exe /I{62BD0AE0-4EB1-4BBB-8F43-B6400C8FEB2C}
avast! Antivirus → rundll32 C:\PROGRA~1\ALWILS~1\Avast4\Setup\setiface.dll,RunSetup
Blasterball 2 Holidays (Free with Game Console - WildGames) → “C:\Program Files\WildGames\Blasterball 2 Holidays\Uninstall.exe”
CleanUp! → C:\Program Files\CleanUp!\uninstall.exe
Conexant HDA D110 MDC V.92 Modem → C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3\HXFSETUP.EXE -U -Idel1028k.inf
Dell AIO Printer 946 → C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\dlciUNST.EXE -NOLICENSE
Dell Game Console → “C:\Program Files\WildTangent\Apps\Dell Game Console\Uninstall.exe”
Dell Support 3.2.1 → MsiExec.exe /X{CEE2252C-4035-4B27-8EC6-0B085DD3A413}
Documentation & Support Launcher → MsiExec.exe /X{B0DF58A2-40DF-4465-AA56-38623EC9938C}
Game Console - WildGames → “C:\Program Files\WildGames\Game Console - WildGames\Uninstall.exe”
Games, Music, & Photos Launcher → MsiExec.exe /X{B6884A07-0305-47AE-9969-8F26FADC17DE}
GemMaster Mystic → “C:\Program Files\GemMaster\uninstallgemmaster.exe”
Google Desktop → C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
Google Toolbar for Internet Explorer → regsvr32 /u /s “c:\program files\google\googletoolbar2.dll”
High Definition Audio Driver Package - KB835221 → C:\WINDOWS$NtUninstallKB835221WXP$\spuninst\spuninst.exe
Hotfix for Windows Media Format 11 SDK (KB929399) → “C:\WINDOWS$NtUninstallKB929399$\spuninst\spuninst.exe”
Intel(R) Graphics Media Accelerator Driver → RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_27A6 PCI\VEN_8086&DEV_27A2
Intel(R) PROSet/Wireless Software → C:\WINDOWS\Installer\iProInst.exe
J2SE Runtime Environment 5.0 Update 6 → MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
LDS Scriptures CD-ROM Resource Edition → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{E622695B-3A22-4774-993D-318049488C0B}\setup.exe”
mCore → MsiExec.exe /I{E81667C6-2856-46D6-ABEA-6A2F42166779}
mDrWiFi → MsiExec.exe /I{F6090A17-0967-4A8A-B3C3-422A1B514D49}
MediaDirect → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{9C6978E8-B6D0-4AB7-A7A0-D81A74FBF745}\Setup.exe” -l0x9 -cluninstall
mHlpDell → MsiExec.exe /I{49D687E5-6784-431B-A0A2-2F23B8CC5A1B}
Microsoft Compression Client Pack 1.0 for Windows XP → “C:\WINDOWS$NtUninstallMSCompPackV1$\spuninst\spuninst.exe”
Microsoft Office Outlook 2003 with Business Contact Manager Update → MsiExec.exe /I{BA68600E-96D9-4E92-80F2-26B9681B5A63}
Microsoft Office Professional Edition 2003 → MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Small Business Edition 2003 → MsiExec.exe /I{91CA0409-6000-11D3-8CFE-0150048383C9}
Microsoft Plus! Digital Media Edition Installer → MsiExec.exe /X{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}
Microsoft Plus! Photo Story 2 LE → MsiExec.exe /X{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}
Microsoft SQL Server Desktop Engine (MICROSOFTSMLBIZ) → MsiExec.exe /X{E09B48B5-E141-427A-AB0C-D3605127224A}
Microsoft User-Mode Driver Framework Feature Pack 1.0 → “C:\WINDOWS$NtUninstallWudf01000$\spuninst\spuninst.exe”
mIWA → MsiExec.exe /I{3E9D596A-61D4-4239-BD19-2DB984D2A16F}
mLogView → MsiExec.exe /I{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}
mMHouse → MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
mPfMgr → MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mPfWiz → MsiExec.exe /I{90B0D222-8C21-4B35-9262-53B042F18AF9}
mProSafe → MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
MSN → C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
mSSO → MsiExec.exe /I{06BE8AFD-A8E2-4B63-BAE7-287016D16ACB}
mWlsSafe → MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
mWMI → MsiExec.exe /I{63DB9CCD-2B56-4217-9A3D-507AC78320CA}
mXML → MsiExec.exe /I{9CC89556-3578-48DD-8408-04E66EBEF401}
mZConfig → MsiExec.exe /I{94658027-9F16-4509-BBD7-A59FE57C3023}
Nero 6 Enterprise Edition → C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
NetWaiting → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe” -l0x9 ControlPanel
OutlookAddinSetup → MsiExec.exe /I{9BDEF074-020E-458D-ADC5-8FF68E0C9B56}
Paint Shop Pro 7 ESD → MsiExec.exe /I{D6DE02C7-1F47-11D4-9515-00105AE4B89A}
QuickTime → C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
RealPlayer Basic → C:\Program Files\Common Files\Real\Update\rnuninst.exe RealNetworks|RealPlayer|6.0
Samsung CamCorder Driver → C:\WINDOWS\Uninstall.exe
Samsung Video Codec 1.1 Uninstall → C:\WINDOWS\system32\rundll32.exe setupapi,InstallHinfSection Remove_SMP4 132 C:\WINDOWS\INF\install.inf
Scrapbook Factory Deluxe 3.0 → MsiExec.exe /X{08F9879C-0AA3-4B0A-AACE-3498BBCAE175}
SearchAssist → C:\DELL\SearchAssist\UninstSA.bat
Sonic DLA → MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic Encoders → MsiExec.exe /I{9941F0AA-B903-4AF4-A055-83A9815CC011}
Sonic MyDVD LE → MsiExec.exe /I{21657574-BD54-48A2-9450-EB03B2C7FC29}
Sonic RecordNow Audio → MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Sonic RecordNow Copy → MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}
Sonic RecordNow Data → MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
Sonic Update Manager → MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
Spybot - Search & Destroy → “C:\Program Files\Spybot - Search & Destroy\unins000.exe”
SpySubtract → c:\Program Files\InterMute\SpySubtract\SpySub.exe -uninstall
Synaptics Pointing Device Driver → rundll32.exe “C:\Program Files\Synaptics\SynTP\SynISDLL.dll”,standAloneUninstall
Update Rollup 2 for Windows XP Media Center Edition 2005 → C:\WINDOWS$NtUninstallKB900325$\spuninst\spuninst.exe
URL Assistant → regsvr32 /u /s “C:\Program Files\BAE\BAE.dll”
VideoLAN VLC media player 0.7.2 → C:\Program Files\VideoLAN\VLC\uninstall.exe
Viewpoint Media Player → C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Windows Media Format 11 runtime → “C:\WINDOWS$NtUninstallWMFDist11$\spuninst\spuninst.exe”
Windows XP Media Center Edition 2005 KB908246 → “C:\WINDOWS$NtUninstallKB908246$\spuninst\spuninst.exe”
Windows XP Media Center Edition 2005 KB925766 → “C:\WINDOWS$NtUninstallKB925766$\spuninst\spuninst.exe”
Winkflash Transporter → MsiExec.exe /I{8B611C23-ADB6-4F5E-A04A-959EB0D349F6}

14

– Application Event Log -------------------------------------------------------

Event Record #/Type2308 / Error
Event Submitted/Written: 01/08/2008 06:42:24 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application SpySub.exe, version 3.0.0.29, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type2304 / Warning
Event Submitted/Written: 01/08/2008 06:10:16 PM
Event ID/Source: 19011 / MSSQL$MICROSOFTSMLBIZ
Event Description:
(SpnRegister) : Error 1355

Event Record #/Type2296 / Warning
Event Submitted/Written: 01/08/2008 05:54:14 PM
Event ID/Source: 19011 / MSSQL$MICROSOFTSMLBIZ
Event Description:
(SpnRegister) : Error 1355

Event Record #/Type2290 / Warning
Event Submitted/Written: 01/07/2008 10:08:05 PM
Event ID/Source: 19011 / MSSQL$MICROSOFTSMLBIZ
Event Description:
(SpnRegister) : Error 1355

Event Record #/Type2288 / Error
Event Submitted/Written: 01/07/2008 10:07:52 PM
Event ID/Source: 1010 / Windows Product Activation
Event Description:
The Windows license was restored due to a system error. You might need to reactivate your Windows product.

– Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

– System Event Log ------------------------------------------------------------

Event Record #/Type21075 / Error
Event Submitted/Written: 01/08/2008 06:08:23 PM
Event ID/Source: 11 / PlugPlayManager
Event Description:
The device Root\LEGACY_FKORGGKC\0000 disappeared from the system without first being prepared for removal.

Event Record #/Type21074 / Error
Event Submitted/Written: 01/08/2008 06:08:22 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The combofix service failed to start due to the following error:
%%1053

Event Record #/Type21073 / Error
Event Submitted/Written: 01/08/2008 06:08:22 PM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the combofix service to connect.

Event Record #/Type21035 / Error
Event Submitted/Written: 01/08/2008 05:53:45 PM / 01/08/2008 05:54:15 PM
Event ID/Source: 4307 / NetBT
Event Description:
Initialization failed because the transport refused to open initial Addresses.

Event Record #/Type21005 / Error
Event Submitted/Written: 01/07/2008 10:08:18 PM
Event ID/Source: 32003 / ipnathlp
Event Description:
The Network Address Translator (NAT) was unable to request an operation
of the kernel-mode translation module.
This may indicate misconfiguration, insufficient resources, or
an internal error.
The data is the error code.

– End of Deckard’s System Scanner: finished at 2008-01-08 19:18:04 ------------

—That’s all of it— What next???

15

Everything seem ok at that end?? Let me know.

It look good here. I’ve got some clean up/housekeeping items for you to do.

16

So far so good. I rebooted. It never takes more than a minute before Avast finds that trojan and it hasn’t so far. System seems to be running faster also.

You had some clean up for me to do? Also, what more than Avast, Spybot, SpySubtract do I need in order to avoid this in the future?

17

Wooo. The Venus Fly Trap feature of SpySubtract just told me that changes were being made to my system, I clicked for further details and it listed about a 1,000 porn sites “URL Zone Change:*.gaypornmag.com” etc. I clicked on Deny and I was told they’ve been added to my restricted sites lists. How did that all happen

18

I think you were hit by a driveby. Any noticable effects?

Hold off on the cleanup and rerun Combofix and DSS

I’d suggest superantispyware. The free version is on demand only, that is you would have to scan manually. But with spybot as resident and doing regular SAS and avast scans, it should be a good combination. Right now SAS is the heaveywieght.

I’ll give you my “canned” speech regarding SAS if you want to try it. You should also disconect from the internet and pause avast and spybot. Faster that way and avast won’t be detecting SAS’s files and alerting you. Safe mode will work also as avast won’t be loaded in safe mode.

Download superantispyware

First update SAS Then

Under Configuration and Preferences, click the Preferences button.
Then click the Scanning Control tab.

Under Scanner Options make sure the following are checked

  • CHECK ALL BOXES

Return to the main page by clicking close on that screen. On the main screen, under Scan for Harmful Software click Scan your computer. On the left check C:\Fixed Drive.(and other fixed drives)
Under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan.

When the scan is done, quarentine everything found . Reboot if asked.

  1. Please download OTMoveIt by OldTimer. Save it to your desktop and double-click OTMoveIt.exe to run it, then click the Clean Up button. You may get prompted by your firewall that OTMoveIt wants to contact the internet - allow this. A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself.

  2. No #2 item for you

  3. Create a new restore point

You must be logged on to an administrator account
Go to Start - All Programs - Accessories - System Tools - System Restore.
Click Create a restore point, and then click Next.
In the text box labeled Restore Point Description, type a name for this restore point , click create

  1. Remove old restore points

Disk Cleanup

  • Go to Start - All Programs - Accessories - system tools. Launch the Disk Cleanup tool and let it run. When it finishes a box with tabs will appear, select the more options tab. On this tab you will find a section for System Restore. If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one.

Your java is waaay out of date. It can be an entry point for malware.

  1. Open an Internet Explorer (only) window and go to http://www.java.com/en/download/manual.jsp > In the middle of the page, click on the Download button to the right of Java Runtime Environment (JRE) 6u3 > If Information Bar pop-ups up, right-click on it and say it’s OK to display the blocked content.

You do not have to install the Java Web Start ActiveX Control

Accept the license agreement > Click on Windows (XP,Vista, .etc) Offline Installation, Multi-language and Save the file jre-6u3-windows-i586-p.exe to your desktop; do not Run it.

When the download is complete, Open Control Panel > Add/Remove Programs:

Uninstall anything that says Sun Java, Java JRE, or similar.

Close Add/Remove Programs.

In Windows Explorer, navigate to C:\Program Files\Java <=this folder, if found. Delete any subfolders it may contain.

Do NOT delete C:\Program Files[b]JavaVM[/b] <=this folder, if found!

Reboot your computer.

Double-click on the saved file to install the update.

Delete the downloaded installation file after completing the above procedure and reboot if not prompted to do so.

  1. Download and run this clean up utility. You can use it regularly. When it’s first run, it is in demo mode to show you what it will remove. Review it and then rerun in real mode. It is configurable.

CleanUp

  1. It looks like you are using windows firewall. It doesn’t provide outbound protection. A third party firewall will.

A discussion on free firewalls can be found here.

http://forum.avast.com/index.php?topic=30808.0

You can also delete any logs,notepads,etc that you may have left that where created during this.

19

I will do all that you said on your last post. Here is the results of the last Combofix you asked me to run. I’m going to runn DSS then go through your list of things to do from your last post.

ComboFix 08-01-09.2 - Sandy Rudy 2008-01-08 20:00:45.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1571 [GMT -7:00]
Running from: C:\Install\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-12-09 to 2008-01-09 )))))))))))))))))))))))))))))))
.

2008-01-08 19:14 . 2008-01-08 19:14 d-------- C:\Deckard
2008-01-08 18:05 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-07 22:07 . 2008-01-07 22:07 2,126 --a------ C:\WINDOWS\system32\wpa.dbl
2008-01-07 19:07 . 2008-01-07 22:48 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-01 16:29 . 2008-01-01 16:29 d-------- C:\VundoFix Backups
2007-12-28 20:53 . 2008-01-01 19:54 356,352 --a------ C:\Documents and Settings\Sandy Rudy\cwshredder.dll
2007-12-26 20:22 . 2005-09-15 03:15 860,160 -ra------ C:\WINDOWS\system32\mcs_dec2.ax
2007-12-26 20:22 . 2005-08-22 04:11 700,416 -ra------ C:\WINDOWS\system32\mcs_cor1.dll
2007-12-26 20:22 . 2005-11-08 22:05 282,624 -ra------ C:\WINDOWS\Uninstall.exe
2007-12-26 20:22 . 2005-09-15 01:16 249,856 -ra------ C:\WINDOWS\system32\mcs_cor2.dll
2007-12-26 20:22 . 2005-08-22 04:12 147,456 -ra------ C:\WINDOWS\system32\mcs_vfw.dll
2007-12-26 20:22 . 2005-11-03 16:29 72,832 -ra------ C:\WINDOWS\system32\drivers\CamAvb.sys
2007-12-26 20:22 . 2005-12-16 01:53 58,624 -ra------ C:\WINDOWS\system32\drivers\CamAv.sys
2007-12-26 20:22 . 2004-12-28 03:19 57,344 -ra------ C:\WINDOWS\HAJEInstall.dll
2007-12-26 20:22 . 2005-07-19 17:23 11,648 -ra------ C:\WINDOWS\system32\drivers\CamFlt.sys
2007-12-26 20:22 . 2005-08-22 04:13 4,385 -ra------ C:\WINDOWS\system32\install.inf
2007-12-23 17:32 . 2007-12-23 17:32 d-------- C:\Program Files\InterMute
2007-12-23 17:32 . 2007-12-23 17:32 2,158 --a------ C:\WINDOWS\system32\ssmute.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-09 02:17 --------- d-----w C:\Program Files\Trend Micro
2007-12-27 03:24 --------- d-----w C:\Program Files\QuickTime
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-11-30 04:42 --------- d-----w C:\Program Files\MySpace
2007-11-30 04:42 --------- d-----w C:\Documents and Settings\Sandy Rudy\Application Data\MySpace
2007-11-14 07:26 450,560 ------w C:\WINDOWS\system32\dllcache\jscript.dll
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-13 03:35 --------- d-----w C:\Program Files\Dl_cats
2007-10-30 09:55 3,065,856 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:35 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-28 00:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-28 00:40 222,720 ------w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-11 05:57 96,256 ------w C:\WINDOWS\system32\dllcache\inseng.dll
2007-10-11 05:57 666,112 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-11 05:57 617,984 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-11 05:57 55,808 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-11 05:57 532,480 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-11 05:57 474,112 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-10-11 05:57 449,024 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-11 05:57 39,424 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-10-11 05:57 357,888 ------w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-10-11 05:57 251,904 ------w C:\WINDOWS\system32\dllcache\iepeers.dll
2007-10-11 05:57 205,824 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-11 05:57 16,384 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-11 05:57 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-10-11 05:57 146,432 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-11 05:57 1,498,112 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-10-11 05:57 1,054,208 ------w C:\WINDOWS\system32\dllcache\danim.dll
2007-10-11 05:57 1,024,000 ------w C:\WINDOWS\system32\dllcache\browseui.dll
2007-10-10 10:48 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2005-11-03 23:29 72,832 ----a-r C:\WINDOWS\inf\CamAvb.sys
2007-01-09 02:02 88 --sh–r C:\WINDOWS\system32\BB92974E4C.sys
2007-01-09 02:03 2,828 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-01-08_18.13.31.62 )))))))))))))))))))))))))))))))))))))))))
.

  • 2008-01-09 02:43:02 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_2b8.dat
  • 2008-01-09 02:42:54 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_7dc.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    Note empty entries & legit default entries are not shown
    REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ModemOnHold”=“C:\Program Files\NetWaiting\netWaiting.exe” [2003-09-10 01:24 20480]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-10 04:00 15360]
“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-10-13 09:24 1694208]
“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2007-08-14 15:31 68856]
“SpybotSD TeaTimer”=“C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe” [2007-08-31 16:46 1460560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ehTray”=“C:\WINDOWS\ehome\ehtray.exe” [2005-09-29 13:01 67584]
“igfxtray”=“C:\WINDOWS\system32\igfxtray.exe” [2005-12-13 22:44 98304]
“igfxhkcmd”=“C:\WINDOWS\system32\hkcmd.exe” [2005-12-13 22:41 77824]
“igfxpers”=“C:\WINDOWS\system32\igfxpers.exe” [2005-12-13 22:45 118784]
“IntelZeroConfig”=“C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe” [2006-05-01 08:28 667718]
“IntelWireless”=“C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe” [2006-05-01 08:28 602182]
“SigmatelSysTrayApp”=“stsystra.exe” [2006-03-24 22:30 282624 C:\WINDOWS\stsystra.exe]
“SynTPEnh”=“C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [2006-03-08 17:48 761947]
“dla”=“C:\WINDOWS\system32\dla\tfswctrl.exe” [2004-12-06 00:05 127035]
“ISUSPM Startup”=“C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe” [2004-07-27 15:50 221184]
“ISUSScheduler”=“C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” [2004-07-27 15:50 81920]
“Google Desktop Search”=“C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe” [2007-01-01 08:05 236544]
“PCMService”=“C:\Program Files\Dell\MediaDirect\PCMService.exe” [2006-08-22 14:32 184320]
“Device Detector”=“DevDetect.exe”
“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2007-01-01 08:03 98304]
“dlcimon.exe”=“C:\Program Files\Dell AIO Printer 946\dlcimon.exe” [2006-02-14 02:26 430080]
“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 10:50 155648]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 06:00 79224]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 21:07:32]
SpySubtract.lnk - C:\Program Files\InterMute\SpySubtract\SpySub.exe [2007-12-23 17:32:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
“InstallVisualStyle”= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
“InstallTheme”= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
“{FA010552-4A27-4cb1-A1BB-3E2D697F1639}”= c:\Program Files\InterMute\SpySubtract\sshook.dll [2007-12-23 17:32 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
“AppInit_DLLs”=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

R3 dlci_device;dlci_device;C:\WINDOWS\system32\dlcicoms.exe [2006-05-11 14:22]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-08 20:02:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

.
Completion time: 2008-01-08 20:03:29
ComboFix-quarantined-files.txt 2008-01-09 03:03:20
ComboFix2.txt 2008-01-09 01:13:46

20

Here’s what the DSS scan logged in main.txt

Deckard’s System Scanner v20071014.68
Run by Sandy Rudy on 2008-01-08 20:08:49
Computer is in Normal Mode.

– HijackThis (run as Sandy Rudy.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:08:54 PM, on 1/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Dell AIO Printer 946\dlcimon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dlcicoms.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Install\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\SANDYR~1.EXE