jkrudy's BHO

oldman960 · 2008-01-09T01:52:13.000Z

Is there a last part to the HJT log?

Do you remember the name of the file avast detected?

system · 2008-01-09T01:56:18.000Z

That was the entire HJT logfile.

Win32:BHO-KD [trg] was the virus, it said it was infecting C:\WINDOWS\System32\cmdvie.dll

I reran HJT and got the same results as posted earlier.

oldman960 · 2008-01-09T02:06:12.000Z

Ok, it’s strange, there usually are 023 lines.

I’ll look with a different scanner.

BTW cmdvie died ;D

Please download Deckard’s System Scanner (DSS) and save it to your Desktop.
[*]Close all other windows before proceeding.
[*]Double-click on dss.exe and follow the prompts.
[*]When it has finished, dss will open two Notepads main.txt and extra.txt – please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt in your next reply.

system · 2008-01-09T02:25:52.000Z

Run by Sandy Rudy on 2008-01-08 19:15:23
Computer is in Normal Mode.

– System Restore --------------------------------------------------------------

Successfully created a Deckard’s System Scanner Restore Point.

– Last 5 Restore Point(s) –
7: 2008-01-09 02:15:29 UTC - RP7 - Deckard’s System Scanner Restore Point
6: 2008-01-09 01:05:41 UTC - RP6 - ComboFix created restore point
5: 2007-12-30 17:20:44 UTC - RP5 - System Checkpoint
4: 2007-12-22 19:45:17 UTC - RP4 - Software Distribution Service 3.0
3: 2007-12-14 22:50:36 UTC - RP3 - System Checkpoint

– First Restore Point –
1: 2007-12-08 04:27:52 UTC - RP1 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

– HijackThis (run as Sandy Rudy.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:17:33 PM, on 1/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell AIO Printer 946\dlcimon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\dlcicoms.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Install\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Sandy Rudy.exe

system · 2008-01-09T02:26:38.000Z

–
End of file - 8655 bytes

system · 2008-01-09T02:27:09.000Z

– File Associations -----------------------------------------------------------

All associations okay.

– Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Inc; OMCI Driver>
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.4.10.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.4.10.0>
R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>

S3 catchme - c:\docume~1\sandyr~1\locals~1\temp\catchme.sys (file missing)
S3 DSproct - c:\program files\dell support\gtaction\triggers\dsproct.sys <Not Verified; GTek Technologies Ltd.; processt>
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)

– Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 RegSrvc (Intel(R) PROSet/Wireless Registry Service) - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; Intel(R) PROSet/Wireless Registry Service>
R2 WLANKEEPER (Intel(R) PROSet/Wireless SSO Service) - c:\program files\intel\wireless\bin\wlkeeper.exe <Not Verified; Intel(R) Corporation; SSO Service>

– Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

– Files created between 2007-12-08 and 2008-01-08 -----------------------------

2008-01-07 22:08:05 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-01-07 19:07:03 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-01 18:59:41 0 d-------- C:!KillBox
2008-01-01 16:29:32 0 d-------- C:\VundoFix Backups
2007-12-28 20:53:27 356352 --a------ C:\Documents and Settings\Sandy Rudy\cwshredder.dll <Not Verified; Trend Micro Incorporated; Anti-Spyware Engine>
2007-12-26 20:22:56 147456 -ra------ C:\WINDOWS\system32\mcs_vfw.dll
2007-12-26 20:22:56 249856 -ra------ C:\WINDOWS\system32\mcs_cor2.dll
2007-12-26 20:22:56 700416 -ra------ C:\WINDOWS\system32\mcs_cor1.dll
2007-12-26 20:22:40 282624 -ra------ C:\WINDOWS\Uninstall.exe <Not Verified; ; Uninstall ?? ???>
2007-12-26 20:22:40 11648 -ra------ C:\WINDOWS\system32\drivers\CamFlt.sys <Not Verified; Samsung electronics, Inc; Samsung electronics, Inc>
2007-12-26 20:22:40 72832 -ra------ C:\WINDOWS\system32\drivers\CamAvb.sys <Not Verified; Samsung Inc.; Samsung Digial Video Camera>
2007-12-26 20:22:40 58624 -ra------ C:\WINDOWS\system32\drivers\CamAv.sys <Not Verified; Samsung electronics, Inc; Samsung electronics, Inc>
2007-12-26 20:22:40 57344 -ra------ C:\WINDOWS\HAJEInstall.dll
2007-12-23 17:32:03 0 d-------- C:\Program Files\InterMute
2007-12-08 11:44:47 0 d-------- C:\WINDOWS\pss

– Find3M Report ---------------------------------------------------------------

2008-01-08 19:17:21 0 d-------- C:\Program Files\Trend Micro
2008-01-08 17:57:00 1466864 --a------ C:\Documents and Settings\Sandy Rudy\Application Data\CleanUp!.log
2007-12-26 20:24:33 0 d-------- C:\Program Files\QuickTime
2007-11-29 21:42:07 0 d-------- C:\Documents and Settings\Sandy Rudy\Application Data\MySpace
2007-11-29 21:42:03 0 d-------- C:\Program Files\MySpace
2007-11-12 20:35:10 0 d-------- C:\Program Files\Dl_cats

– Registry Dump ---------------------------------------------------------------

Note empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ehTray”=“C:\WINDOWS\ehome\ehtray.exe” [09/29/2005 01:01 PM]
“igfxtray”=“C:\WINDOWS\system32\igfxtray.exe” [12/13/2005 10:44 PM]
“igfxhkcmd”=“C:\WINDOWS\system32\hkcmd.exe” [12/13/2005 10:41 PM]
“igfxpers”=“C:\WINDOWS\system32\igfxpers.exe” [12/13/2005 10:45 PM]
“IntelZeroConfig”=“C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe” [05/01/2006 08:28 AM]
“IntelWireless”=“C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe” [05/01/2006 08:28 AM]
“SigmatelSysTrayApp”=“stsystra.exe” [03/24/2006 10:30 PM C:\WINDOWS\stsystra.exe]
“SynTPEnh”=“C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [03/08/2006 05:48 PM]
“dla”=“C:\WINDOWS\system32\dla\tfswctrl.exe” [12/06/2004 12:05 AM]
“ISUSPM Startup”=“C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe” [07/27/2004 03:50 PM]
“ISUSScheduler”=“C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” [07/27/2004 03:50 PM]
“Google Desktop Search”=“C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe” [01/01/2007 08:05 AM]
“PCMService”=“C:\Program Files\Dell\MediaDirect\PCMService.exe” [08/22/2006 02:32 PM]
“Device Detector”=“DevDetect.exe”
“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [01/01/2007 08:03 AM]
“dlcimon.exe”=“C:\Program Files\Dell AIO Printer 946\dlcimon.exe” [02/14/2006 02:26 AM]
“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [07/09/2001 10:50 AM]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [12/04/2007 06:00 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ModemOnHold”=“C:\Program Files\NetWaiting\netWaiting.exe” [09/10/2003 01:24 AM]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [08/10/2004 04:00 AM]
“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [10/13/2004 09:24 AM]
“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [08/14/2007 03:31 PM]
“SpybotSD TeaTimer”=“C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe” [08/31/2007 04:46 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 9:05:26 PM]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [5/3/2005 9:07:32 PM]
SpySubtract.lnk - C:\Program Files\InterMute\SpySubtract\SpySub.exe [12/23/2007 5:32:04 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
“InstallVisualStyle”=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
“InstallTheme”=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
“{FA010552-4A27-4cb1-A1BB-3E2D697F1639}”= c:\Program Files\InterMute\SpySubtract\sshook.dll [12/23/2007 05:32 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
“appinit_dlls”=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe

– End of Deckard’s System Scanner: finished at 2008-01-08 19:18:04 ------------

system · 2008-01-09T02:29:04.000Z

Deckard’s System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.

– System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Genuine Intel(R) CPU T2050 @ 1.60GHz
CPU 1: Genuine Intel(R) CPU T2050 @ 1.60GHz
Percentage of Memory in Use: 25%
Physical Memory (total/avail): 2038.37 MiB / 1523.5 MiB
Pagefile Memory (total/avail): 4933.19 MiB / 4544.47 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1930.68 MiB

C: is Fixed (NTFS) - 142.36 GiB total, 69.06 GiB free.
D: is CDROM (UDF)

\.\PHYSICALDRIVE0 - Hitachi HTS541616J9SA00 - 149.05 GiB - 4 partitions
\PARTITION0 - Unknown - 47.03 MiB
\PARTITION1 (bootable) - Installable File System - 142.36 GiB - C:
\PARTITION2 - Extended w/Extended Int 13 - 2047.35 MiB
\PARTITION3 - Unknown - 4.64 GiB

– Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: avast! antivirus 4.7.1098 [VPS 080108-0] v4.7.1098 (ALWIL Software)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

– Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Sandy Rudy\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=S1LAPTOP
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Sandy Rudy
LOGONSERVER=\S1LAPTOP
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Program Files\Internet Explorer;;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Microsoft SQL Server\80\Tools\Binn"
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 14 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0e08
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SonicCentral=C:\Program Files\Common Files\Sonic Shared\Sonic Central
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\SANDYR~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\SANDYR~1\LOCALS~1\Temp
USERDOMAIN=S1LAPTOP
USERNAME=Sandy Rudy
USERPROFILE=C:\Documents and Settings\Sandy Rudy
windir=C:\WINDOWS

system · 2008-01-09T02:29:42.000Z

– User Profiles ---------------------------------------------------------------

Sandy Rudy I[/I]
Administrator I[/I]

– Add/Remove Programs ---------------------------------------------------------

→ C:\WINDOWS\system32\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
→ C:\WINDOWS\system32\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
→ C:\WINDOWS\system32\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
→ C:\WINDOWS\system32\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
→ rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ABBYY FineReader 6.0 Sprint → MsiExec.exe /X{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}
ACDSee Pro → MsiExec.exe /I{F99F74B4-972B-4B06-B893-6B3B0DB0128B}
Actiontec Gateway → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{9692FD03-6662-4E62-B08C-30DFF51651E1}\setup.exe” -l0x9
Adobe Flash Player 9 ActiveX → C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Reader 7.0.8 → MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70800000002}
Adobe Shockwave Player → C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
AOLIcon → MsiExec.exe /I{62BD0AE0-4EB1-4BBB-8F43-B6400C8FEB2C}
avast! Antivirus → rundll32 C:\PROGRA~1\ALWILS~1\Avast4\Setup\setiface.dll,RunSetup
Blasterball 2 Holidays (Free with Game Console - WildGames) → “C:\Program Files\WildGames\Blasterball 2 Holidays\Uninstall.exe”
CleanUp! → C:\Program Files\CleanUp!\uninstall.exe
Conexant HDA D110 MDC V.92 Modem → C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3\HXFSETUP.EXE -U -Idel1028k.inf
Dell AIO Printer 946 → C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\dlciUNST.EXE -NOLICENSE
Dell Game Console → “C:\Program Files\WildTangent\Apps\Dell Game Console\Uninstall.exe”
Dell Support 3.2.1 → MsiExec.exe /X{CEE2252C-4035-4B27-8EC6-0B085DD3A413}
Documentation & Support Launcher → MsiExec.exe /X{B0DF58A2-40DF-4465-AA56-38623EC9938C}
Game Console - WildGames → “C:\Program Files\WildGames\Game Console - WildGames\Uninstall.exe”
Games, Music, & Photos Launcher → MsiExec.exe /X{B6884A07-0305-47AE-9969-8F26FADC17DE}
GemMaster Mystic → “C:\Program Files\GemMaster\uninstallgemmaster.exe”
Google Desktop → C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
Google Toolbar for Internet Explorer → regsvr32 /u /s “c:\program files\google\googletoolbar2.dll”
High Definition Audio Driver Package - KB835221 → C:\WINDOWS$NtUninstallKB835221WXP$\spuninst\spuninst.exe
Hotfix for Windows Media Format 11 SDK (KB929399) → “C:\WINDOWS$NtUninstallKB929399$\spuninst\spuninst.exe”
Intel(R) Graphics Media Accelerator Driver → RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_27A6 PCI\VEN_8086&DEV_27A2
Intel(R) PROSet/Wireless Software → C:\WINDOWS\Installer\iProInst.exe
J2SE Runtime Environment 5.0 Update 6 → MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
LDS Scriptures CD-ROM Resource Edition → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{E622695B-3A22-4774-993D-318049488C0B}\setup.exe”
mCore → MsiExec.exe /I{E81667C6-2856-46D6-ABEA-6A2F42166779}
mDrWiFi → MsiExec.exe /I{F6090A17-0967-4A8A-B3C3-422A1B514D49}
MediaDirect → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{9C6978E8-B6D0-4AB7-A7A0-D81A74FBF745}\Setup.exe” -l0x9 -cluninstall
mHlpDell → MsiExec.exe /I{49D687E5-6784-431B-A0A2-2F23B8CC5A1B}
Microsoft Compression Client Pack 1.0 for Windows XP → “C:\WINDOWS$NtUninstallMSCompPackV1$\spuninst\spuninst.exe”
Microsoft Office Outlook 2003 with Business Contact Manager Update → MsiExec.exe /I{BA68600E-96D9-4E92-80F2-26B9681B5A63}
Microsoft Office Professional Edition 2003 → MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Small Business Edition 2003 → MsiExec.exe /I{91CA0409-6000-11D3-8CFE-0150048383C9}
Microsoft Plus! Digital Media Edition Installer → MsiExec.exe /X{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}
Microsoft Plus! Photo Story 2 LE → MsiExec.exe /X{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}
Microsoft SQL Server Desktop Engine (MICROSOFTSMLBIZ) → MsiExec.exe /X{E09B48B5-E141-427A-AB0C-D3605127224A}
Microsoft User-Mode Driver Framework Feature Pack 1.0 → “C:\WINDOWS$NtUninstallWudf01000$\spuninst\spuninst.exe”
mIWA → MsiExec.exe /I{3E9D596A-61D4-4239-BD19-2DB984D2A16F}
mLogView → MsiExec.exe /I{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}
mMHouse → MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
mPfMgr → MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mPfWiz → MsiExec.exe /I{90B0D222-8C21-4B35-9262-53B042F18AF9}
mProSafe → MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
MSN → C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
mSSO → MsiExec.exe /I{06BE8AFD-A8E2-4B63-BAE7-287016D16ACB}
mWlsSafe → MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
mWMI → MsiExec.exe /I{63DB9CCD-2B56-4217-9A3D-507AC78320CA}
mXML → MsiExec.exe /I{9CC89556-3578-48DD-8408-04E66EBEF401}
mZConfig → MsiExec.exe /I{94658027-9F16-4509-BBD7-A59FE57C3023}
Nero 6 Enterprise Edition → C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
NetWaiting → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe” -l0x9 ControlPanel
OutlookAddinSetup → MsiExec.exe /I{9BDEF074-020E-458D-ADC5-8FF68E0C9B56}
Paint Shop Pro 7 ESD → MsiExec.exe /I{D6DE02C7-1F47-11D4-9515-00105AE4B89A}
QuickTime → C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
RealPlayer Basic → C:\Program Files\Common Files\Real\Update\rnuninst.exe RealNetworks|RealPlayer|6.0
Samsung CamCorder Driver → C:\WINDOWS\Uninstall.exe
Samsung Video Codec 1.1 Uninstall → C:\WINDOWS\system32\rundll32.exe setupapi,InstallHinfSection Remove_SMP4 132 C:\WINDOWS\INF\install.inf
Scrapbook Factory Deluxe 3.0 → MsiExec.exe /X{08F9879C-0AA3-4B0A-AACE-3498BBCAE175}
SearchAssist → C:\DELL\SearchAssist\UninstSA.bat
Sonic DLA → MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic Encoders → MsiExec.exe /I{9941F0AA-B903-4AF4-A055-83A9815CC011}
Sonic MyDVD LE → MsiExec.exe /I{21657574-BD54-48A2-9450-EB03B2C7FC29}
Sonic RecordNow Audio → MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Sonic RecordNow Copy → MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}
Sonic RecordNow Data → MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
Sonic Update Manager → MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
Spybot - Search & Destroy → “C:\Program Files\Spybot - Search & Destroy\unins000.exe”
SpySubtract → c:\Program Files\InterMute\SpySubtract\SpySub.exe -uninstall
Synaptics Pointing Device Driver → rundll32.exe “C:\Program Files\Synaptics\SynTP\SynISDLL.dll”,standAloneUninstall
Update Rollup 2 for Windows XP Media Center Edition 2005 → C:\WINDOWS$NtUninstallKB900325$\spuninst\spuninst.exe
URL Assistant → regsvr32 /u /s “C:\Program Files\BAE\BAE.dll”
VideoLAN VLC media player 0.7.2 → C:\Program Files\VideoLAN\VLC\uninstall.exe
Viewpoint Media Player → C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Windows Media Format 11 runtime → “C:\WINDOWS$NtUninstallWMFDist11$\spuninst\spuninst.exe”
Windows XP Media Center Edition 2005 KB908246 → “C:\WINDOWS$NtUninstallKB908246$\spuninst\spuninst.exe”
Windows XP Media Center Edition 2005 KB925766 → “C:\WINDOWS$NtUninstallKB925766$\spuninst\spuninst.exe”
Winkflash Transporter → MsiExec.exe /I{8B611C23-ADB6-4F5E-A04A-959EB0D349F6}

system · 2008-01-09T02:30:29.000Z

– Application Event Log -------------------------------------------------------

Event Record #/Type2308 / Error
Event Submitted/Written: 01/08/2008 06:42:24 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application SpySub.exe, version 3.0.0.29, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type2304 / Warning
Event Submitted/Written: 01/08/2008 06:10:16 PM
Event ID/Source: 19011 / MSSQL$MICROSOFTSMLBIZ
Event Description:
(SpnRegister) : Error 1355

Event Record #/Type2296 / Warning
Event Submitted/Written: 01/08/2008 05:54:14 PM
Event ID/Source: 19011 / MSSQL$MICROSOFTSMLBIZ
Event Description:
(SpnRegister) : Error 1355

Event Record #/Type2290 / Warning
Event Submitted/Written: 01/07/2008 10:08:05 PM
Event ID/Source: 19011 / MSSQL$MICROSOFTSMLBIZ
Event Description:
(SpnRegister) : Error 1355

Event Record #/Type2288 / Error
Event Submitted/Written: 01/07/2008 10:07:52 PM
Event ID/Source: 1010 / Windows Product Activation
Event Description:
The Windows license was restored due to a system error. You might need to reactivate your Windows product.

– Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

– System Event Log ------------------------------------------------------------

Event Record #/Type21075 / Error
Event Submitted/Written: 01/08/2008 06:08:23 PM
Event ID/Source: 11 / PlugPlayManager
Event Description:
The device Root\LEGACY_FKORGGKC\0000 disappeared from the system without first being prepared for removal.

Event Record #/Type21074 / Error
Event Submitted/Written: 01/08/2008 06:08:22 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The combofix service failed to start due to the following error:
%%1053

Event Record #/Type21073 / Error
Event Submitted/Written: 01/08/2008 06:08:22 PM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the combofix service to connect.

Event Record #/Type21035 / Error
Event Submitted/Written: 01/08/2008 05:53:45 PM / 01/08/2008 05:54:15 PM
Event ID/Source: 4307 / NetBT
Event Description:
Initialization failed because the transport refused to open initial Addresses.

Event Record #/Type21005 / Error
Event Submitted/Written: 01/07/2008 10:08:18 PM
Event ID/Source: 32003 / ipnathlp
Event Description:
The Network Address Translator (NAT) was unable to request an operation
of the kernel-mode translation module.
This may indicate misconfiguration, insufficient resources, or
an internal error.
The data is the error code.

– End of Deckard’s System Scanner: finished at 2008-01-08 19:18:04 ------------

—That’s all of it— What next???

oldman960 · 2008-01-09T02:37:57.000Z

Everything seem ok at that end?? Let me know.

It look good here. I’ve got some clean up/housekeeping items for you to do.

system · 2008-01-09T02:45:03.000Z

So far so good. I rebooted. It never takes more than a minute before Avast finds that trojan and it hasn’t so far. System seems to be running faster also.

You had some clean up for me to do? Also, what more than Avast, Spybot, SpySubtract do I need in order to avoid this in the future?

system · 2008-01-09T02:53:14.000Z

Wooo. The Venus Fly Trap feature of SpySubtract just told me that changes were being made to my system, I clicked for further details and it listed about a 1,000 porn sites “URL Zone Change:*.gaypornmag.com” etc. I clicked on Deny and I was told they’ve been added to my restricted sites lists. How did that all happen

oldman960 · 2008-01-09T02:57:20.000Z

I think you were hit by a driveby. Any noticable effects?

Hold off on the cleanup and rerun Combofix and DSS

I’d suggest superantispyware. The free version is on demand only, that is you would have to scan manually. But with spybot as resident and doing regular SAS and avast scans, it should be a good combination. Right now SAS is the heaveywieght.

I’ll give you my “canned” speech regarding SAS if you want to try it. You should also disconect from the internet and pause avast and spybot. Faster that way and avast won’t be detecting SAS’s files and alerting you. Safe mode will work also as avast won’t be loaded in safe mode.

Download superantispyware

First update SAS Then

Under Configuration and Preferences, click the Preferences button.
Then click the Scanning Control tab.

Under Scanner Options make sure the following are checked

CHECK ALL BOXES

Return to the main page by clicking close on that screen. On the main screen, under Scan for Harmful Software click Scan your computer. On the left check C:\Fixed Drive.(and other fixed drives)
Under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan.

When the scan is done, quarentine everything found . Reboot if asked.

Please download OTMoveIt by OldTimer. Save it to your desktop and double-click OTMoveIt.exe to run it, then click the Clean Up button. You may get prompted by your firewall that OTMoveIt wants to contact the internet - allow this. A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself.
No #2 item for you
Create a new restore point

You must be logged on to an administrator account
Go to Start - All Programs - Accessories - System Tools - System Restore.
Click Create a restore point, and then click Next.
In the text box labeled Restore Point Description, type a name for this restore point , click create

Remove old restore points

Disk Cleanup

Go to Start - All Programs - Accessories - system tools. Launch the Disk Cleanup tool and let it run. When it finishes a box with tabs will appear, select the more options tab. On this tab you will find a section for System Restore. If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one.

Your java is waaay out of date. It can be an entry point for malware.

Open an Internet Explorer (only) window and go to http://www.java.com/en/download/manual.jsp > In the middle of the page, click on the Download button to the right of Java Runtime Environment (JRE) 6u3 > If Information Bar pop-ups up, right-click on it and say it’s OK to display the blocked content.

You do not have to install the Java Web Start ActiveX Control

Accept the license agreement > Click on Windows (XP,Vista, .etc) Offline Installation, Multi-language and Save the file jre-6u3-windows-i586-p.exe to your desktop; do not Run it.

When the download is complete, Open Control Panel > Add/Remove Programs:

Uninstall anything that says Sun Java, Java JRE, or similar.

Close Add/Remove Programs.

In Windows Explorer, navigate to C:\Program Files\Java <=this folder, if found. Delete any subfolders it may contain.

Do NOT delete C:\Program Files[b]JavaVM[/b] <=this folder, if found!

Reboot your computer.

Double-click on the saved file to install the update.

Delete the downloaded installation file after completing the above procedure and reboot if not prompted to do so.

Download and run this clean up utility. You can use it regularly. When it’s first run, it is in demo mode to show you what it will remove. Review it and then rerun in real mode. It is configurable.

CleanUp

It looks like you are using windows firewall. It doesn’t provide outbound protection. A third party firewall will.

A discussion on free firewalls can be found here.

http://forum.avast.com/index.php?topic=30808.0

You can also delete any logs,notepads,etc that you may have left that where created during this.

system · 2008-01-09T03:08:06.000Z

I will do all that you said on your last post. Here is the results of the last Combofix you asked me to run. I’m going to runn DSS then go through your list of things to do from your last post.

ComboFix 08-01-09.2 - Sandy Rudy 2008-01-08 20:00:45.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1571 [GMT -7:00]
Running from: C:\Install\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-12-09 to 2008-01-09 )))))))))))))))))))))))))))))))
.

2008-01-08 19:14 . 2008-01-08 19:14 d-------- C:\Deckard
2008-01-08 18:05 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-07 22:07 . 2008-01-07 22:07 2,126 --a------ C:\WINDOWS\system32\wpa.dbl
2008-01-07 19:07 . 2008-01-07 22:48 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-01 16:29 . 2008-01-01 16:29 d-------- C:\VundoFix Backups
2007-12-28 20:53 . 2008-01-01 19:54 356,352 --a------ C:\Documents and Settings\Sandy Rudy\cwshredder.dll
2007-12-26 20:22 . 2005-09-15 03:15 860,160 -ra------ C:\WINDOWS\system32\mcs_dec2.ax
2007-12-26 20:22 . 2005-08-22 04:11 700,416 -ra------ C:\WINDOWS\system32\mcs_cor1.dll
2007-12-26 20:22 . 2005-11-08 22:05 282,624 -ra------ C:\WINDOWS\Uninstall.exe
2007-12-26 20:22 . 2005-09-15 01:16 249,856 -ra------ C:\WINDOWS\system32\mcs_cor2.dll
2007-12-26 20:22 . 2005-08-22 04:12 147,456 -ra------ C:\WINDOWS\system32\mcs_vfw.dll
2007-12-26 20:22 . 2005-11-03 16:29 72,832 -ra------ C:\WINDOWS\system32\drivers\CamAvb.sys
2007-12-26 20:22 . 2005-12-16 01:53 58,624 -ra------ C:\WINDOWS\system32\drivers\CamAv.sys
2007-12-26 20:22 . 2004-12-28 03:19 57,344 -ra------ C:\WINDOWS\HAJEInstall.dll
2007-12-26 20:22 . 2005-07-19 17:23 11,648 -ra------ C:\WINDOWS\system32\drivers\CamFlt.sys
2007-12-26 20:22 . 2005-08-22 04:13 4,385 -ra------ C:\WINDOWS\system32\install.inf
2007-12-23 17:32 . 2007-12-23 17:32 d-------- C:\Program Files\InterMute
2007-12-23 17:32 . 2007-12-23 17:32 2,158 --a------ C:\WINDOWS\system32\ssmute.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-09 02:17 --------- d-----w C:\Program Files\Trend Micro
2007-12-27 03:24 --------- d-----w C:\Program Files\QuickTime
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-11-30 04:42 --------- d-----w C:\Program Files\MySpace
2007-11-30 04:42 --------- d-----w C:\Documents and Settings\Sandy Rudy\Application Data\MySpace
2007-11-14 07:26 450,560 ------w C:\WINDOWS\system32\dllcache\jscript.dll
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-13 03:35 --------- d-----w C:\Program Files\Dl_cats
2007-10-30 09:55 3,065,856 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:35 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-28 00:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-28 00:40 222,720 ------w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-11 05:57 96,256 ------w C:\WINDOWS\system32\dllcache\inseng.dll
2007-10-11 05:57 666,112 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-11 05:57 617,984 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-11 05:57 55,808 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-11 05:57 532,480 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-11 05:57 474,112 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-10-11 05:57 449,024 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-11 05:57 39,424 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-10-11 05:57 357,888 ------w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-10-11 05:57 251,904 ------w C:\WINDOWS\system32\dllcache\iepeers.dll
2007-10-11 05:57 205,824 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-11 05:57 16,384 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-11 05:57 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-10-11 05:57 146,432 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-11 05:57 1,498,112 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-10-11 05:57 1,054,208 ------w C:\WINDOWS\system32\dllcache\danim.dll
2007-10-11 05:57 1,024,000 ------w C:\WINDOWS\system32\dllcache\browseui.dll
2007-10-10 10:48 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2005-11-03 23:29 72,832 ----a-r C:\WINDOWS\inf\CamAvb.sys
2007-01-09 02:02 88 --sh–r C:\WINDOWS\system32\BB92974E4C.sys
2007-01-09 02:03 2,828 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-01-08_18.13.31.62 )))))))))))))))))))))))))))))))))))))))))
.

2008-01-09 02:43:02 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_2b8.dat
2008-01-09 02:42:54 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_7dc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ModemOnHold”=“C:\Program Files\NetWaiting\netWaiting.exe” [2003-09-10 01:24 20480]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-10 04:00 15360]
“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-10-13 09:24 1694208]
“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2007-08-14 15:31 68856]
“SpybotSD TeaTimer”=“C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe” [2007-08-31 16:46 1460560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ehTray”=“C:\WINDOWS\ehome\ehtray.exe” [2005-09-29 13:01 67584]
“igfxtray”=“C:\WINDOWS\system32\igfxtray.exe” [2005-12-13 22:44 98304]
“igfxhkcmd”=“C:\WINDOWS\system32\hkcmd.exe” [2005-12-13 22:41 77824]
“igfxpers”=“C:\WINDOWS\system32\igfxpers.exe” [2005-12-13 22:45 118784]
“IntelZeroConfig”=“C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe” [2006-05-01 08:28 667718]
“IntelWireless”=“C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe” [2006-05-01 08:28 602182]
“SigmatelSysTrayApp”=“stsystra.exe” [2006-03-24 22:30 282624 C:\WINDOWS\stsystra.exe]
“SynTPEnh”=“C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [2006-03-08 17:48 761947]
“dla”=“C:\WINDOWS\system32\dla\tfswctrl.exe” [2004-12-06 00:05 127035]
“ISUSPM Startup”=“C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe” [2004-07-27 15:50 221184]
“ISUSScheduler”=“C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” [2004-07-27 15:50 81920]
“Google Desktop Search”=“C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe” [2007-01-01 08:05 236544]
“PCMService”=“C:\Program Files\Dell\MediaDirect\PCMService.exe” [2006-08-22 14:32 184320]
“Device Detector”=“DevDetect.exe”
“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2007-01-01 08:03 98304]
“dlcimon.exe”=“C:\Program Files\Dell AIO Printer 946\dlcimon.exe” [2006-02-14 02:26 430080]
“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 10:50 155648]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 06:00 79224]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 21:07:32]
SpySubtract.lnk - C:\Program Files\InterMute\SpySubtract\SpySub.exe [2007-12-23 17:32:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
“InstallVisualStyle”= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
“InstallTheme”= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
“{FA010552-4A27-4cb1-A1BB-3E2D697F1639}”= c:\Program Files\InterMute\SpySubtract\sshook.dll [2007-12-23 17:32 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
“AppInit_DLLs”=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

R3 dlci_device;dlci_device;C:\WINDOWS\system32\dlcicoms.exe [2006-05-11 14:22]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-08 20:02:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

.
Completion time: 2008-01-08 20:03:29
ComboFix-quarantined-files.txt 2008-01-09 03:03:20
ComboFix2.txt 2008-01-09 01:13:46

system · 2008-01-09T03:10:38.000Z

Here’s what the DSS scan logged in main.txt

Deckard’s System Scanner v20071014.68
Run by Sandy Rudy on 2008-01-08 20:08:49
Computer is in Normal Mode.

– HijackThis (run as Sandy Rudy.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:08:54 PM, on 1/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Dell AIO Printer 946\dlcimon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dlcicoms.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Install\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\SANDYR~1.EXE

system · 2008-01-09T03:11:15.000Z

–
End of file - 8678 bytes

system · 2008-01-09T03:11:43.000Z

– Files created between 2007-12-08 and 2008-01-08 -----------------------------

2008-01-07 22:08:05 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-01-07 19:07:03 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-01 18:59:41 0 d-------- C:!KillBox
2008-01-01 16:29:32 0 d-------- C:\VundoFix Backups
2007-12-28 20:53:27 356352 --a------ C:\Documents and Settings\Sandy Rudy\cwshredder.dll <Not Verified; Trend Micro Incorporated; Anti-Spyware Engine>
2007-12-26 20:22:56 147456 -ra------ C:\WINDOWS\system32\mcs_vfw.dll
2007-12-26 20:22:56 249856 -ra------ C:\WINDOWS\system32\mcs_cor2.dll
2007-12-26 20:22:56 700416 -ra------ C:\WINDOWS\system32\mcs_cor1.dll
2007-12-26 20:22:40 282624 -ra------ C:\WINDOWS\Uninstall.exe <Not Verified; ; Uninstall ?? ???>
2007-12-26 20:22:40 11648 -ra------ C:\WINDOWS\system32\drivers\CamFlt.sys <Not Verified; Samsung electronics, Inc; Samsung electronics, Inc>
2007-12-26 20:22:40 72832 -ra------ C:\WINDOWS\system32\drivers\CamAvb.sys <Not Verified; Samsung Inc.; Samsung Digial Video Camera>
2007-12-26 20:22:40 58624 -ra------ C:\WINDOWS\system32\drivers\CamAv.sys <Not Verified; Samsung electronics, Inc; Samsung electronics, Inc>
2007-12-26 20:22:40 57344 -ra------ C:\WINDOWS\HAJEInstall.dll
2007-12-23 17:32:03 0 d-------- C:\Program Files\InterMute
2007-12-08 11:44:47 0 d-------- C:\WINDOWS\pss

– Find3M Report ---------------------------------------------------------------

2008-01-08 19:17:21 0 d-------- C:\Program Files\Trend Micro
2008-01-08 17:57:00 1466864 --a------ C:\Documents and Settings\Sandy Rudy\Application Data\CleanUp!.log
2007-12-26 20:24:33 0 d-------- C:\Program Files\QuickTime
2007-11-29 21:42:07 0 d-------- C:\Documents and Settings\Sandy Rudy\Application Data\MySpace
2007-11-29 21:42:03 0 d-------- C:\Program Files\MySpace
2007-11-12 20:35:10 0 d-------- C:\Program Files\Dl_cats

– Registry Dump ---------------------------------------------------------------

Note empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ehTray”=“C:\WINDOWS\ehome\ehtray.exe” [09/29/2005 01:01 PM]
“igfxtray”=“C:\WINDOWS\system32\igfxtray.exe” [12/13/2005 10:44 PM]
“igfxhkcmd”=“C:\WINDOWS\system32\hkcmd.exe” [12/13/2005 10:41 PM]
“igfxpers”=“C:\WINDOWS\system32\igfxpers.exe” [12/13/2005 10:45 PM]
“IntelZeroConfig”=“C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe” [05/01/2006 08:28 AM]
“IntelWireless”=“C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe” [05/01/2006 08:28 AM]
“SigmatelSysTrayApp”=“stsystra.exe” [03/24/2006 10:30 PM C:\WINDOWS\stsystra.exe]
“SynTPEnh”=“C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [03/08/2006 05:48 PM]
“dla”=“C:\WINDOWS\system32\dla\tfswctrl.exe” [12/06/2004 12:05 AM]
“ISUSPM Startup”=“C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe” [07/27/2004 03:50 PM]
“ISUSScheduler”=“C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” [07/27/2004 03:50 PM]
“Google Desktop Search”=“C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe” [01/01/2007 08:05 AM]
“PCMService”=“C:\Program Files\Dell\MediaDirect\PCMService.exe” [08/22/2006 02:32 PM]
“Device Detector”=“DevDetect.exe”
“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [01/01/2007 08:03 AM]
“dlcimon.exe”=“C:\Program Files\Dell AIO Printer 946\dlcimon.exe” [02/14/2006 02:26 AM]
“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [07/09/2001 10:50 AM]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [12/04/2007 06:00 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ModemOnHold”=“C:\Program Files\NetWaiting\netWaiting.exe” [09/10/2003 01:24 AM]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [08/10/2004 04:00 AM]
“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [10/13/2004 09:24 AM]
“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [08/14/2007 03:31 PM]
“SpybotSD TeaTimer”=“C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe” [08/31/2007 04:46 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 9:05:26 PM]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [5/3/2005 9:07:32 PM]
SpySubtract.lnk - C:\Program Files\InterMute\SpySubtract\SpySub.exe [12/23/2007 5:32:04 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
“InstallVisualStyle”=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
“InstallTheme”=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
“{FA010552-4A27-4cb1-A1BB-3E2D697F1639}”= c:\Program Files\InterMute\SpySubtract\sshook.dll [12/23/2007 05:32 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
“appinit_dlls”=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe

– End of Deckard’s System Scanner: finished at 2008-01-08 20:09:11 ------------

oldman960 · 2008-01-09T03:18:59.000Z

Nothing jumps out right at the moment. Do the clean up, it won’t take long. Then I suggest you try SAS as layed out in safe mode,just to be sure. I’ll look over the logs some more and post if anthing found. You do the same and post back regardless of what you do or don’t find.

system · 2008-01-09T04:12:13.000Z

I have download, installed updated and I am now running SAS. It’s done with the Memory, Registry and over 8000 files scanned so far with nothing detected. Just thought I would keep you posted and also I wanted to thank you for your help on this. I thought I was stuck just having to reformat and reinstall everything (only to get infected again at a later date). So thank you for your expertise and time.

oldman960 · 2008-01-09T04:20:36.000Z

Hey no problem, let me know how you make out. You are a loooong way from a reformat.

Your logs look ok, nothing suspicious.

Announcements