Please help with Win32:BHO-KD [Trj] infection

Viruses and worms
1

Hi,

Recent model laptop running WinXPPro showed Win32:BHO-KD [trj] infection with Avast in C:\windows\system32\dlexcoml.dll[UPX].

Quarantined the virus but still have problems: error messages about not accessing memory, blocked install of other anti-vir software, no internet access either ethernet or wireless through IE7 or any program updates, won’t allow windows firewall service to start or be started manually, strange error message on boot about “u4hgogewh.exe has encountered a problem” (googled on this file with no result).

Based on other posts, here are HJT log, then combofix log, then HJT log.

Thanks in advance!

2

(continued)

FIRST HJT LOG

Logfile of HijackThis v1.99.1
Scan saved at 4:05:11 AM, on 1/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe
C:\Program Files\Dell Photo AIO Printer 926\memcard.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\dlcxcoms.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Dell Network Assistant\ezi_hnm2.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

3

(continued)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4061212
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4061212
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by CenturyTel
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: 100% Free Chess Toolbar Helper - {AE4F4014-3BF4-4CEB-B46C-3730A2340C4E} - C:\Program Files\100% Free Chess Toolbar\v3.2.0.0\100%_Free_Chess_Toolbar.dll
O2 - BHO: (no name) - {B295C27F-7F5E-4BC7-B618-4D97253F3AA0} - c:\windows\system32\dinput8j.dll
O2 - BHO: (no name) - {BA466D75-93CC-4B04-9048-691B9206C4B6} - C:\WINDOWS\system32\dlcxcomml.dll (file missing)
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: 100% Free Chess Toolbar - {6F4F95AF-1647-4B72-A632-055405455423} - C:\Program Files\100% Free Chess Toolbar\v3.2.0.0\100%_Free_Chess_Toolbar.dll
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [IntelZeroConfig] “C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe”
O4 - HKLM..\Run: [IntelWireless] “C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe” /tf Intel PROSet/Wireless
O4 - HKLM..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM..\Run: [ATICCC] “C:\Program Files\ATI Technologies\ATI.ACE\cli.exe” runtime -Delay
O4 - HKLM..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM..\Run: [ISUSPM Startup] “C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe” -startup
O4 - HKLM..\Run: [ISUSScheduler] “C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” -start
O4 - HKLM..\Run: [PCMService] “C:\Program Files\Dell\MediaDirect\PCMService.exe”
O4 - HKLM..\Run: [Windows Defender] “C:\Program Files\Windows Defender\MSASCui.exe” -hide
O4 - HKLM..\Run: [dlcxmon.exe] “C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe”
O4 - HKLM..\Run: [MemoryCardManager] “C:\Program Files\Dell Photo AIO Printer 926\memcard.exe”
O4 - HKLM..\Run: [FaxCenterServer] “C:\Program Files\Dell PC Fax\fm3032.exe” /s
O4 - HKLM..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [DLCXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16
O4 - HKLM..\Run: [ZoneAlarm Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKCU..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU..\Run: [DellSupport] “C:\Program Files\Dell Support\DSAgnt.exe” /startup
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Dell Network Assistant.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device… - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1168913282796
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://207.5.168.68/activex/AMC.cab
O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} (ActiveCGM Control) - http://mobilecountymaps.siteonestudio.com/taxmaps/acgm/acgm.cab
O20 - Winlogon Notify: kpcragvx - C:\WINDOWS\SYSTEM32\dinput8j.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: dlcx_device - - C:\WINDOWS\system32\dlcxcoms.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

COMBOFIX LOG

ComboFix 08-01-23.1C - John 2008-01-25 4:18:07.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1307 [GMT -6:00]
Running from: C:\Documents and Settings\John\Desktop\ComboFix.exe

  • Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\100%_Free_Chess_Toolbar_Uninstaller_1171.exe
C:\WINDOWS\system32\dinput8j.dll
C:\WINDOWS\Tasks.\At1.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_XOGDFGYL
-------\xogdfgyl

4

(continued)

((((((((((((((((((((((((( Files Created from 2007-12-25 to 2008-01-25 )))))))))))))))))))))))))))))))
.

2008-01-25 04:16 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-24 20:39 . 2008-01-24 21:31 d-------- C:\Program Files\a-squared Free
2008-01-24 20:22 . 2008-01-25 04:24 1,740,832 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-24 20:22 . 2008-01-25 04:22 21,404 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-24 20:17 . 2007-09-06 16:14 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-01-24 20:16 . 2007-09-06 16:14 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2008-01-24 20:16 . 2008-01-25 04:23 353,247 --a------ C:\WINDOWS\system32\vsconfig.xml
2008-01-24 19:43 . 2008-01-24 20:17 d-------- C:\WINDOWS\system32\ZoneLabs
2008-01-24 19:43 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-01-24 19:43 . 2008-01-24 20:19 4,212 —h----- C:\WINDOWS\system32\zllictbl.dat
2008-01-24 19:42 . 2008-01-24 20:35 d-------- C:\WINDOWS\Internet Logs
2008-01-24 13:16 . 2008-01-24 13:16 d-------- C:\Program Files\XoftSpySE
2008-01-24 11:32 . 2007-12-04 07:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-01-24 11:32 . 2004-01-09 03:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-24 11:32 . 2007-12-04 06:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-01-24 11:32 . 2007-12-04 08:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-24 11:32 . 2007-12-04 08:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-24 11:32 . 2007-12-04 08:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-24 11:32 . 2007-12-04 08:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-24 11:32 . 2007-12-04 08:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-22 19:39 . 2008-01-22 19:39 d-------- C:\Program Files\Alwil Software
2008-01-22 19:29 . 2007-05-30 06:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-22 15:01 . 2008-01-22 15:01 120,576 --a------ C:\WINDOWS\system32\ecccigpx.dat
2008-01-22 14:50 . 2008-01-22 14:50 d-------- C:\WINDOWS\system32\AppCert
2008-01-22 14:50 . 2004-09-15 12:27 16,384 --a------ C:\WINDOWS\system32\u4hgogewh.exe
2008-01-22 14:49 . 2008-01-22 14:49 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-22 14:49 . 2008-01-22 14:49 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-14 11:17 . 2008-01-14 11:17 d-------- C:\Program Files\Axis Communications

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-25 01:32 --------- d-----w C:\Program Files\Google
2008-01-23 02:04 --------- d-----w C:\Program Files\dl_cats
2008-01-22 20:54 360,064 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2007-12-20 22:46 1,482,579 ----a-w C:\Program Files\AlphaChessHistory.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{AE4F4014-3BF4-4CEB-B46C-3730A2340C4E}]
2007-08-07 08:30 798720 --a------ C:\Program Files\100% Free Chess Toolbar\v3.2.0.0\100%_Free_Chess_Toolbar.dll

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{BA466D75-93CC-4B04-9048-691B9206C4B6}]
C:\WINDOWS\system32\dlcxcomml.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{6F4F95AF-1647-4B72-A632-055405455423}

[HKEY_CLASSES_ROOT\clsid{6f4f95af-1647-4b72-a632-055405455423}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
“{6F4F95AF-1647-4B72-A632-055405455423}”= C:\Program Files\100% Free Chess Toolbar\v3.2.0.0\100%_Free_Chess_Toolbar.dll [2007-08-07 08:30 798720]

[HKEY_CLASSES_ROOT\clsid{6f4f95af-1647-4b72-a632-055405455423}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ModemOnHold”=“C:\Program Files\NetWaiting\netWaiting.exe” [2003-09-10 02:24 20480]
“DellSupport”=“C:\Program Files\Dell Support\DSAgnt.exe” [2006-08-28 21:57 395776]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 05:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“SynTPEnh”=“C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [2006-03-08 18:48 761947]
“IntelZeroConfig”=“C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe” [2006-05-01 09:28 667718]
“IntelWireless”=“C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe” [2006-05-01 09:28 602182]
“SigmatelSysTrayApp”=“stsystra.exe” [2006-03-24 23:30 282624 C:\WINDOWS\stsystra.exe]
“ATICCC”=“C:\Program Files\ATI Technologies\ATI.ACE\cli.exe” [2006-01-02 17:41 45056]
“Dell QuickSet”=“C:\Program Files\Dell\QuickSet\quickset.exe” [2006-08-03 18:51 1032192]
“dla”=“C:\WINDOWS\system32\dla\tfswctrl.exe” [2004-12-06 01:05 127035]
“ISUSPM Startup”=“C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe” [2005-06-10 10:44 249856]
“ISUSScheduler”=“C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” [2005-06-10 10:44 81920]
“PCMService”=“C:\Program Files\Dell\MediaDirect\PCMService.exe” [2006-08-22 15:32 184320]
“Windows Defender”=“C:\Program Files\Windows Defender\MSASCui.exe” [2006-11-03 18:20 866584]
“dlcxmon.exe”=“C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe” [2006-06-14 06:51 286720]
“MemoryCardManager”=“C:\Program Files\Dell Photo AIO Printer 926\memcard.exe” [2006-06-27 05:34 299008]
“FaxCenterServer”=“C:\Program Files\Dell PC Fax\fm3032.exe” [2006-06-15 04:03 307200]
“Corel Photo Downloader”=“C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe” [2005-08-31 11:06 106496]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 07:00 79224]
“DLCXCATS”=“C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll” [2006-06-07 10:17 106496]
“ZoneAlarm Client”=“C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe” [2007-09-06 16:14 919016]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“DWQueuedReporting”=“C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe” [2003-11-10 11:52 34832]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-24 18:28:28 622653]
Dell Network Assistant.lnk - C:\WINDOWS\Installer{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2006-12-12 04:52:29 7168]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-12-12 04:48:16 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg!AVG Anti-Spyware]
–a------ 2007-06-11 03:25 6731312 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
–a------ 2004-10-13 10:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
–a------ 2006-12-12 05:00 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\u4hgogewh]
–a------ 2004-09-15 12:27 16384 C:\WINDOWS\system32\u4hgogewh.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\sessionmanager\appcertdlls]
appsecdll REG_EXPAND_SZ C:\WINDOWS\system32\AppCert\wsil32.dll

R3 dlcx_device;dlcx_device;C:\WINDOWS\system32\dlcxcoms.exe [2006-05-18 14:36]

.
Contents of the ‘Scheduled Tasks’ folder
“2008-01-25 02:34:10 C:\WINDOWS\Tasks\MP Scheduled Scan.job”

  • C:\Program Files\Windows Defender\MpCmdRun.exe
    “2008-01-25 10:23:31 C:\WINDOWS\Tasks\XoftSpySE 2.job”
  • C:\Program Files\XoftSpySE\XoftSpy.exe
    “2008-01-24 19:30:52 C:\WINDOWS\Tasks\XoftSpySE.job”
  • C:\Program Files\XoftSpySE\XoftSpy.exe
    .

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-25 04:24:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

.
Completion time: 2008-01-25 4:26:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-25 10:26:36
.
2008-01-18 22:52:57 — E O F —

5

(continued)

SECOND HJT LOG

Logfile of HijackThis v1.99.1
Scan saved at 4:30:34 AM, on 1/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe
C:\Program Files\Dell Photo AIO Printer 926\memcard.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Dell Network Assistant\ezi_hnm2.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\a-squared Free\a2service.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\dlcxcoms.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4061212

6

(continued to end- sorry for so much info)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: 100% Free Chess Toolbar Helper - {AE4F4014-3BF4-4CEB-B46C-3730A2340C4E} - C:\Program Files\100% Free Chess Toolbar\v3.2.0.0\100%_Free_Chess_Toolbar.dll
O2 - BHO: (no name) - {BA466D75-93CC-4B04-9048-691B9206C4B6} - C:\WINDOWS\system32\dlcxcomml.dll (file missing)
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: 100% Free Chess Toolbar - {6F4F95AF-1647-4B72-A632-055405455423} - C:\Program Files\100% Free Chess Toolbar\v3.2.0.0\100%_Free_Chess_Toolbar.dll
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [IntelZeroConfig] “C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe”
O4 - HKLM..\Run: [IntelWireless] “C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe” /tf Intel PROSet/Wireless
O4 - HKLM..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM..\Run: [ATICCC] “C:\Program Files\ATI Technologies\ATI.ACE\cli.exe” runtime -Delay
O4 - HKLM..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM..\Run: [ISUSPM Startup] “C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe” -startup
O4 - HKLM..\Run: [ISUSScheduler] “C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” -start
O4 - HKLM..\Run: [PCMService] “C:\Program Files\Dell\MediaDirect\PCMService.exe”
O4 - HKLM..\Run: [Windows Defender] “C:\Program Files\Windows Defender\MSASCui.exe” -hide
O4 - HKLM..\Run: [dlcxmon.exe] “C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe”
O4 - HKLM..\Run: [MemoryCardManager] “C:\Program Files\Dell Photo AIO Printer 926\memcard.exe”
O4 - HKLM..\Run: [FaxCenterServer] “C:\Program Files\Dell PC Fax\fm3032.exe” /s
O4 - HKLM..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [DLCXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16
O4 - HKLM..\Run: [ZoneAlarm Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKCU..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU..\Run: [DellSupport] “C:\Program Files\Dell Support\DSAgnt.exe” /startup
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Dell Network Assistant.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device… - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1168913282796
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://207.5.168.68/activex/AMC.cab
O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} (ActiveCGM Control) - http://mobilecountymaps.siteonestudio.com/taxmaps/acgm/acgm.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: dlcx_device - - C:\WINDOWS\system32\dlcxcoms.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

Avast warning log doesn’t show anything but what looks like a failed update to the software with internet access down.

I sure appreciate you folks. Another time the Tech Support Guys got me out of a jam but it’s been a long while now without problems.

Grisen

7

You can find a list of forums offering help with malware removal here:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix#forums

8

You have an old version of HJT, please delete it and download and run the newer version. Please post that log.

You can get it from here.

Click here to download HJTsetup.exe

Also submit this file to www.virustotal.com

copy and paste this line into the submit a file box on their site, click send file and please post the results.

C:\WINDOWS\system32\u4hgogewh.exe

edit to correct syntax

9

Hi,

Thought maybe Freewheelin Frank had cut me loose :cry: . Went over to Tech Support Guy after the can’t-help-you reply here and also posted there. That was just 20 minutes ago-- then I saw your post. Thank you! :slight_smile:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:57:38 PM, on 1/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe
C:\Program Files\Dell Photo AIO Printer 926\memcard.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Dell Network Assistant\ezi_hnm2.exe
C:\WINDOWS\system32\dlcxcoms.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\John\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4061212

10

(continued)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: 100% Free Chess Toolbar Helper - {AE4F4014-3BF4-4CEB-B46C-3730A2340C4E} - C:\Program Files\100% Free Chess Toolbar\v3.2.0.0\100%_Free_Chess_Toolbar.dll
O2 - BHO: (no name) - {BA466D75-93CC-4B04-9048-691B9206C4B6} - C:\WINDOWS\system32\dlcxcomml.dll (file missing)
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: 100% Free Chess Toolbar - {6F4F95AF-1647-4B72-A632-055405455423} - C:\Program Files\100% Free Chess Toolbar\v3.2.0.0\100%_Free_Chess_Toolbar.dll
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [IntelZeroConfig] “C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe”
O4 - HKLM..\Run: [IntelWireless] “C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe” /tf Intel PROSet/Wireless
O4 - HKLM..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM..\Run: [ATICCC] “C:\Program Files\ATI Technologies\ATI.ACE\cli.exe” runtime -Delay
O4 - HKLM..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM..\Run: [ISUSPM Startup] “C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe” -startup
O4 - HKLM..\Run: [ISUSScheduler] “C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” -start
O4 - HKLM..\Run: [PCMService] “C:\Program Files\Dell\MediaDirect\PCMService.exe”
O4 - HKLM..\Run: [Windows Defender] “C:\Program Files\Windows Defender\MSASCui.exe” -hide
O4 - HKLM..\Run: [dlcxmon.exe] “C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe”
O4 - HKLM..\Run: [MemoryCardManager] “C:\Program Files\Dell Photo AIO Printer 926\memcard.exe”
O4 - HKLM..\Run: [FaxCenterServer] “C:\Program Files\Dell PC Fax\fm3032.exe” /s
O4 - HKLM..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [DLCXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16
O4 - HKLM..\Run: [ZoneAlarm Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKCU..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU..\Run: [DellSupport] “C:\Program Files\Dell Support\DSAgnt.exe” /startup
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18..\Run: [DWQueuedReporting] “C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe” -t (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [DWQueuedReporting] “C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe” -t (User ‘Default user’)
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Dell Network Assistant.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device… - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1168913282796
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://207.5.168.68/activex/AMC.cab
O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} (ActiveCGM Control) - http://mobilecountymaps.siteonestudio.com/taxmaps/acgm/acgm.cab
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: dlcx_device - - C:\WINDOWS\system32\dlcxcoms.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe


End of file - 10103 bytes

11
Thought maybe Freewheelin Frank had cut me loose Cry .

The helpers from the support forums haven’t been showing up very frequently, with a lot of posts going unanswered.

12

(continued)

VIRUS TOTAL RESULT 1

File hijackthis012508_258p.txt received on 01.25.2008 22:03:35 (CET)
Current status: Loading … queued waiting scanning finished NOT FOUND STOPPED
Result: 0/32 (0%)
Loading server information…
Your file is queued in position: 12.
Estimated start time is between 73 and 104 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they’re generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click “request” so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2008.1.26.10 2008.01.25 -
AntiVir 7.6.0.53 2008.01.25 -
Authentium 4.93.8 2008.01.25 -
Avast 4.7.1098.0 2008.01.25 -
AVG 7.5.0.516 2008.01.25 -
BitDefender 7.2 2008.01.25 -
CAT-QuickHeal 9.00 2008.01.25 -
ClamAV 0.91.2 2008.01.25 -
DrWeb 4.44.0.09170 2008.01.25 -
eSafe 7.0.15.0 2008.01.16 -
eTrust-Vet 31.3.5484 2008.01.25 -
Ewido 4.0 2008.01.25 -
FileAdvisor 1 2008.01.25 -
Fortinet 3.14.0.0 2008.01.25 -
F-Prot 4.4.2.54 2008.01.25 -
F-Secure 6.70.13260.0 2008.01.25 -
Ikarus T3.1.1.20 2008.01.25 -
Kaspersky 7.0.0.125 2008.01.25 -
McAfee 5215 2008.01.24 -
Microsoft 1.3109 2008.01.25 -
NOD32v2 2823 2008.01.25 -
Norman 5.80.02 2008.01.24 -
Panda 9.0.0.4 2008.01.25 -
Prevx1 V2 2008.01.25 -
Rising 20.28.41.00 2008.01.25 -
Sophos 4.25.0 2008.01.25 -
Sunbelt 2.2.907.0 2008.01.25 -
Symantec 10 2008.01.25 -
TheHacker 6.2.9.197 2008.01.25 -
VBA32 3.12.2.5 2008.01.21 -
VirusBuster 4.3.26:9 2008.01.25 -
Webwasher-Gateway 6.6.2 2008.01.25 -
Additional information
File size: 10105 bytes
MD5: 428d7ded6fb6ea71919bcf8c71056153
SHA1: 91306d63a548d595e37ee51b3f9936bd301d80f5
PEiD: -

VIRUS TOTAL RESULT ON TEXT FILE CONTAINING PATH
C:\WINDOWS\system32\u4hgogewh.exe
[\b]

File New_Text_Document.txt received on 01.25.2008 22:14:17 (CET)
Current status: File New_Text_Document.txt received on 01.25.2008 22:14:17 (CET)
Current status: Loading … queued waiting scanning finished NOT FOUND STOPPED
Result: 0/31 (0%)
Loading server information…
Your file is queued in position: 10.
Estimated start time is between 66 and 95 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they’re generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click “request” so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2008.1.26.10 2008.01.25 -
AntiVir 7.6.0.53 2008.01.25 -
Authentium 4.93.8 2008.01.25 -
Avast 4.7.1098.0 2008.01.25 -
AVG 7.5.0.516 2008.01.25 -
BitDefender 7.2 2008.01.25 -
CAT-QuickHeal 9.00 2008.01.25 -
ClamAV 0.91.2 2008.01.25 -
DrWeb 4.44.0.09170 2008.01.25 -
eSafe 7.0.15.0 2008.01.16 -
eTrust-Vet 31.3.5484 2008.01.25 -
Ewido 4.0 2008.01.25 -
FileAdvisor 1 2008.01.25 -
Fortinet 3.14.0.0 2008.01.25 -
F-Prot 4.4.2.54 2008.01.25 -
F-Secure 6.70.13260.0 2008.01.25 -
Ikarus T3.1.1.20 2008.01.25 -
Kaspersky 7.0.0.125 2008.01.25 -
Microsoft 1.3109 2008.01.25 -
NOD32v2 2823 2008.01.25 -
Norman 5.80.02 2008.01.24 -
Panda 9.0.0.4 2008.01.25 -
Prevx1 V2 2008.01.25 -
Rising 20.28.41.00 2008.01.25 -
Sophos 4.25.0 2008.01.25 -
Sunbelt 2.2.907.0 2008.01.25 -
Symantec 10 2008.01.25 -
TheHacker 6.2.9.197 2008.01.25 -
VBA32 3.12.2.5 2008.01.21 -
VirusBuster 4.3.26:9 2008.01.25 -
Webwasher-Gateway 6.6.2 2008.01.25 -
Additional information
File size: 39 bytes
MD5: 1f5d9576d13270b821566c1f545b62a2
SHA1: f73f5debea0fd8458d3f9e59560564410dd05a15
PEiD: -

13

BTW, ran VirusTotal on the executable itself and here is the result: (it said a scan of this file had been done previously-- 1.12.08, today is 1.25.08)

File u4hgogewh.exe received on 01.12.2008 10:56:25 (CET)
Current status: finished
Result: 9/32 (28.12%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - TR/Crypt.Morphine.Gen
Authentium - - -
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - (Suspicious) - DNAScan
ClamAV - - -
DrWeb - - -
eSafe - - Suspicious File
eTrust-Vet - - -
Ewido - - -
FileAdvisor - - -
Fortinet - - -
F-Prot - - W32/Heuristic-114!Eldorado
F-Secure - - -
Ikarus - - -
Kaspersky - - Heur.Trojan.Generic
McAfee - - -
Microsoft - - VirTool:Win32/Obfuscator.Q
NOD32v2 - - a variant of Win32/Small.BB
Norman - - -
Panda - - Suspicious file
Prevx1 - - -
Rising - - -
Sophos - - -
Sunbelt - - -
Symantec - - -
TheHacker - - -
VBA32 - - -
VirusBuster - - -
Webwasher-Gateway - - Trojan.Crypt.Morphine.Gen
Additional information
MD5: 45d8a7bc2cc161d1dc486218293f4b37
SHA1: bc0ec17c87a21896bb28569fb4cc5c8ec3956323
SHA256: e04699a052dcc48baed91a9ea056216fa56d5021f7c4aa65ebf757ad85332fe3
SHA512: 2bb895c581e05766958a4241ad12eba0645a223da476e401eb5f967964af831e 57f174b77529de070d87f7b1850734961db9dc9866624cbc52cf3942ab4d62e1

14

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. [b]

O2 - BHO: (no name) - {BA466D75-93CC-4B04-9048-691B9206C4B6} - C:\WINDOWS\system32\dlcxcomml.dll (file missing)

[/b]Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

THEN

  1. Please open Notepad
    [*] Click Start , then Run[*]Type notepad .exe in the Run Box.

  2. Now copy/paste the entire content of the codebox below into the Notepad window:


File::
C:\WINDOWS\system32\ecccigpx.dat
C:\WINDOWS\system32\u4hgogewh.exe
C:\WINDOWS\system32\dlcxcomml.dll

  1. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

  2. Save the above as CFScript.txt

  3. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif

  1. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    [*]Combofix.txt [*]A new HijackThis log.
15
That was just 20 minutes ago-- then I saw your post. Thank you!

You’re welcome. Essexboy has you now, you are in very good hands. ;D

16

Thank you, Essexboy and 1975Maggie. New combofix and hijackthis logs follow:

ComboFix 08-01-23.1C - John 2008-01-25 22:41:04.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1487 [GMT -6:00]
Running from: C:\Documents and Settings\John\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\John\Desktop\CFScript.txt

  • Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\system32\dlcxcomml.dll
C:\WINDOWS\system32\ecccigpx.dat
C:\WINDOWS\system32\u4hgogewh.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ecccigpx.dat
C:\WINDOWS\system32\u4hgogewh.exe

.
((((((((((((((((((((((((( Files Created from 2007-12-26 to 2008-01-26 )))))))))))))))))))))))))))))))
.

2008-01-25 15:51 . 2008-01-25 15:51 15,232 --a------ C:\WINDOWS\system32\u4hgogewh.zip
2008-01-25 04:16 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-24 20:39 . 2008-01-24 21:31 d-------- C:\Program Files\a-squared Free
2008-01-24 20:22 . 2008-01-25 22:43 1,779,744 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-24 20:22 . 2008-01-25 16:02 21,668 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-24 20:17 . 2007-09-06 16:14 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-01-24 20:16 . 2007-09-06 16:14 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2008-01-24 20:16 . 2008-01-25 22:29 353,247 --a------ C:\WINDOWS\system32\vsconfig.xml
2008-01-24 19:43 . 2008-01-24 20:17 d-------- C:\WINDOWS\system32\ZoneLabs
2008-01-24 19:43 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-01-24 19:43 . 2008-01-24 20:19 4,212 —h----- C:\WINDOWS\system32\zllictbl.dat
2008-01-24 19:42 . 2008-01-25 22:30 d-------- C:\WINDOWS\Internet Logs
2008-01-24 13:16 . 2008-01-24 13:16 d-------- C:\Program Files\XoftSpySE
2008-01-24 11:32 . 2007-12-04 07:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-01-24 11:32 . 2004-01-09 03:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-24 11:32 . 2007-12-04 06:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-01-24 11:32 . 2007-12-04 08:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-24 11:32 . 2007-12-04 08:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-24 11:32 . 2007-12-04 08:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-24 11:32 . 2007-12-04 08:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-24 11:32 . 2007-12-04 08:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-22 19:39 . 2008-01-22 19:39 d-------- C:\Program Files\Alwil Software
2008-01-22 19:29 . 2007-05-30 06:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-22 14:50 . 2008-01-22 14:50 d-------- C:\WINDOWS\system32\AppCert
2008-01-22 14:49 . 2008-01-22 14:49 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-22 14:49 . 2008-01-22 14:49 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-14 11:17 . 2008-01-14 11:17 d-------- C:\Program Files\Axis Communications

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-25 01:32 --------- d-----w C:\Program Files\Google
2008-01-23 02:04 --------- d-----w C:\Program Files\dl_cats
2008-01-22 20:54 360,064 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-01-22 20:54 360,064 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-01-19 20:22 7,518 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-12-20 22:46 1,482,579 ----a-w C:\Program Files\AlphaChessHistory.dat
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-27 23:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 23:40 222,720 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
.

((((((((((((((((((((((((((((( snapshot@2008-01-25_ 4.25.45.59 )))))))))))))))))))))))))))))))))))))))))
.

  • 2008-01-25 10:17:42 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000001\NTUSER.DAT
  • 2008-01-26 04:40:26 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000001\NTUSER.DAT
  • 2008-01-25 10:17:42 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000002\UsrClass.dat
  • 2008-01-26 04:40:27 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000002\UsrClass.dat
  • 2008-01-25 10:17:43 3,698,688 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000003\NTUSER.DAT
  • 2008-01-26 04:40:27 3,715,072 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000003\NTUSER.DAT
  • 2008-01-25 10:17:43 98,304 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000004\UsrClass.dat
  • 2008-01-26 04:40:27 98,304 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000004\UsrClass.dat
  • 2008-01-25 10:17:43 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000005\NTUSER.DAT
  • 2008-01-26 04:40:27 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000005\NTUSER.DAT
  • 2008-01-25 10:17:43 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000006\UsrClass.dat
  • 2008-01-26 04:40:27 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000006\UsrClass.dat
  • 2008-01-26 04:26:24 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_b0.dat
    .
17

(continued)

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{AE4F4014-3BF4-4CEB-B46C-3730A2340C4E}]
2007-08-07 08:30 798720 --a------ C:\Program Files\100% Free Chess Toolbar\v3.2.0.0\100%_Free_Chess_Toolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{6F4F95AF-1647-4B72-A632-055405455423}

[HKEY_CLASSES_ROOT\clsid{6f4f95af-1647-4b72-a632-055405455423}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
“{6F4F95AF-1647-4B72-A632-055405455423}”= C:\Program Files\100% Free Chess Toolbar\v3.2.0.0\100%_Free_Chess_Toolbar.dll [2007-08-07 08:30 798720]

[HKEY_CLASSES_ROOT\clsid{6f4f95af-1647-4b72-a632-055405455423}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ModemOnHold”=“C:\Program Files\NetWaiting\netWaiting.exe” [2003-09-10 02:24 20480]
“DellSupport”=“C:\Program Files\Dell Support\DSAgnt.exe” [2006-08-28 21:57 395776]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 05:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“SynTPEnh”=“C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [2006-03-08 18:48 761947]
“IntelZeroConfig”=“C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe” [2006-05-01 09:28 667718]
“IntelWireless”=“C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe” [2006-05-01 09:28 602182]
“SigmatelSysTrayApp”=“stsystra.exe” [2006-03-24 23:30 282624 C:\WINDOWS\stsystra.exe]
“ATICCC”=“C:\Program Files\ATI Technologies\ATI.ACE\cli.exe” [2006-01-02 17:41 45056]
“Dell QuickSet”=“C:\Program Files\Dell\QuickSet\quickset.exe” [2006-08-03 18:51 1032192]
“dla”=“C:\WINDOWS\system32\dla\tfswctrl.exe” [2004-12-06 01:05 127035]
“ISUSPM Startup”=“C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe” [2005-06-10 10:44 249856]
“ISUSScheduler”=“C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” [2005-06-10 10:44 81920]
“PCMService”=“C:\Program Files\Dell\MediaDirect\PCMService.exe” [2006-08-22 15:32 184320]
“Windows Defender”=“C:\Program Files\Windows Defender\MSASCui.exe” [2006-11-03 18:20 866584]
“dlcxmon.exe”=“C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe” [2006-06-14 06:51 286720]
“MemoryCardManager”=“C:\Program Files\Dell Photo AIO Printer 926\memcard.exe” [2006-06-27 05:34 299008]
“FaxCenterServer”=“C:\Program Files\Dell PC Fax\fm3032.exe” [2006-06-15 04:03 307200]
“Corel Photo Downloader”=“C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe” [2005-08-31 11:06 106496]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 07:00 79224]
“DLCXCATS”=“C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll” [2006-06-07 10:17 106496]
“ZoneAlarm Client”=“C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe” [2007-09-06 16:14 919016]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“DWQueuedReporting”=“C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe” [2003-11-10 11:52 34832]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-24 18:28:28 622653]
Dell Network Assistant.lnk - C:\WINDOWS\Installer{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2006-12-12 04:52:29 7168]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-12-12 04:48:16 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg!AVG Anti-Spyware]
–a------ 2007-06-11 03:25 6731312 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
–a------ 2004-10-13 10:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
–a------ 2006-12-12 05:00 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\u4hgogewh]
C:\WINDOWS\system32\u4hgogewh.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\sessionmanager\appcertdlls]
appsecdll REG_EXPAND_SZ C:\WINDOWS\system32\AppCert\wsil32.dll

R3 dlcx_device;dlcx_device;C:\WINDOWS\system32\dlcxcoms.exe [2006-05-18 14:36]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{b8a4e59e-c94e-11dc-aafb-00188ba682e6}]
\Shell\AutoRun\command - F:
\Shell\open\Command - .\autorun.exe explore

.
Contents of the ‘Scheduled Tasks’ folder
“2008-01-26 04:29:22 C:\WINDOWS\Tasks\MP Scheduled Scan.job”

  • C:\Program Files\Windows Defender\MpCmdRun.exe
    “2008-01-26 04:26:25 C:\WINDOWS\Tasks\XoftSpySE 2.job”
  • C:\Program Files\XoftSpySE\XoftSpy.exe
    “2008-01-24 19:30:52 C:\WINDOWS\Tasks\XoftSpySE.job”
  • C:\Program Files\XoftSpySE\XoftSpy.exe
    .

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-25 22:43:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

.
Completion time: 2008-01-25 22:44:17
ComboFix-quarantined-files.txt 2008-01-26 04:44:14
ComboFix2.txt 2008-01-25 10:26:44
.
2008-01-18 22:52:57 — E O F —

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:47:14 PM, on 1/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe
C:\Program Files\Dell Photo AIO Printer 926\memcard.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\WINDOWS\system32\dlcxcoms.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Dell Network Assistant\ezi_hnm2.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\John\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4061212

18

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: 100% Free Chess Toolbar Helper - {AE4F4014-3BF4-4CEB-B46C-3730A2340C4E} - C:\Program Files\100% Free Chess Toolbar\v3.2.0.0\100%_Free_Chess_Toolbar.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: 100% Free Chess Toolbar - {6F4F95AF-1647-4B72-A632-055405455423} - C:\Program Files\100% Free Chess Toolbar\v3.2.0.0\100%_Free_Chess_Toolbar.dll
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [IntelZeroConfig] “C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe”
O4 - HKLM..\Run: [IntelWireless] “C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe” /tf Intel PROSet/Wireless
O4 - HKLM..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM..\Run: [ATICCC] “C:\Program Files\ATI Technologies\ATI.ACE\cli.exe” runtime -Delay
O4 - HKLM..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM..\Run: [ISUSPM Startup] “C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe” -startup
O4 - HKLM..\Run: [ISUSScheduler] “C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” -start
O4 - HKLM..\Run: [PCMService] “C:\Program Files\Dell\MediaDirect\PCMService.exe”
O4 - HKLM..\Run: [Windows Defender] “C:\Program Files\Windows Defender\MSASCui.exe” -hide
O4 - HKLM..\Run: [dlcxmon.exe] “C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe”
O4 - HKLM..\Run: [MemoryCardManager] “C:\Program Files\Dell Photo AIO Printer 926\memcard.exe”
O4 - HKLM..\Run: [FaxCenterServer] “C:\Program Files\Dell PC Fax\fm3032.exe” /s
O4 - HKLM..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [DLCXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16
O4 - HKLM..\Run: [ZoneAlarm Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKCU..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU..\Run: [DellSupport] “C:\Program Files\Dell Support\DSAgnt.exe” /startup
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18..\Run: [DWQueuedReporting] “C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe” -t (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [DWQueuedReporting] “C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe” -t (User ‘Default user’)
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Dell Network Assistant.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device… - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1168913282796
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://207.5.168.68/activex/AMC.cab
O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} (ActiveCGM Control) - http://mobilecountymaps.siteonestudio.com/taxmaps/acgm/acgm.cab
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: dlcx_device - - C:\WINDOWS\system32\dlcxcoms.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe


End of file - 9901 bytes

BY THE WAY, I REMEMBER THAT THERE WAS A C:\WINDOWS\system32\u4hgogewh.zip FILE IN THAT DIRECTORY AS WELL. DON’T KNOW ITS FUNCTION BUT IF .EXE IS SUSPECT, THEN .ZIP SHOULD PROBABLY ALSO BE REMOVED, NO?

Thanks,

Grisen

19

Okay we seem have a new file, so let’s clean somethings up and see if we can stop this.

Go to add/remove programs and uninstall this program

Free Chess toolbar or similar, you can keep the game, it’s just the toolbar that’s questionable.

Reason:

http://www.castlecops.com/CLSID.html

Open a new Notepad session (Do not use a Word Processor or WordPad). Click “Format” and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as…, and set the location to your Desktop, and enter (including quotation marks) as the filename: “CFscript.txt” . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

File:: C:\WINDOWS\system32\u4hgogewh.zip

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\u4hgogewh]

This will start ComboFix again.Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Let’s get this java caught up. Old java can be an entry point for malware.

Your java is a bit behind.

Open an Internet Explorer (only) window and go to http://java.sun.com/javase/downloads/index.jsp > Scroll down to “Java Runtime Environment (JRE) 6 Update 4…allows end-users to run Java applications”.

Click the download button on the right.

If Information Bar pop-ups up, right-click on it and say it’s OK to display the blocked content.

You do not have to install the Java Web Start ActiveX Control

Accept the license agreement > Click on Windows (XP,Vista, .etc) Offline Installation, Multi-language and Save the file jre-6u4-windows-i586-p.exe to your desktop; do not Run it.

When the download is complete, Open Control Panel > Add/Remove Programs:

Uninstall anything that says Sun Java, Java JRE, or similar.

Close Add/Remove Programs.

In Windows Explorer, navigate to C:\Program Files\Java <=this folder, if found. Delete any subfolders it may contain.

Do NOT delete C:\Program Files[b]JavaVM[/b] <=this folder, if found!

Reboot your computer.

Double-click on the saved file to install the update.

Delete the downloaded installation file after completing the above procedure and reboot if not prompted to do so.

Please tell us of any problems you are experiencing.

20

Thanks for your reply, 1975maggie.

100% Free Chess Toolbar - “Uninstaller Error: It may already have been removed. Would you like to remove it from the Add / Remove Programs list?”

ComboFix 08-01-23.1C - John 2008-01-26 1:02:05.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1485 [GMT -6:00]
Running from: C:\Documents and Settings\John\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\John\Desktop\CFScript.txt

  • Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\system32\u4hgogewh.zip
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\u4hgogewh.zip

.
((((((((((((((((((((((((( Files Created from 2007-12-26 to 2008-01-26 )))))))))))))))))))))))))))))))
.

2008-01-25 04:16 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-24 20:39 . 2008-01-24 21:31 d-------- C:\Program Files\a-squared Free
2008-01-24 20:22 . 2008-01-26 01:03 1,816,608 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-24 20:22 . 2008-01-26 00:09 22,052 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-24 20:17 . 2007-09-06 16:14 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-01-24 20:16 . 2007-09-06 16:14 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2008-01-24 20:16 . 2008-01-26 00:35 353,247 --a------ C:\WINDOWS\system32\vsconfig.xml
2008-01-24 19:43 . 2008-01-24 20:17 d-------- C:\WINDOWS\system32\ZoneLabs
2008-01-24 19:43 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-01-24 19:43 . 2008-01-24 20:19 4,212 —h----- C:\WINDOWS\system32\zllictbl.dat
2008-01-24 19:42 . 2008-01-26 00:37 d-------- C:\WINDOWS\Internet Logs
2008-01-24 13:16 . 2008-01-24 13:16 d-------- C:\Program Files\XoftSpySE
2008-01-24 11:32 . 2007-12-04 07:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-01-24 11:32 . 2004-01-09 03:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-24 11:32 . 2007-12-04 06:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-01-24 11:32 . 2007-12-04 08:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-24 11:32 . 2007-12-04 08:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-24 11:32 . 2007-12-04 08:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-24 11:32 . 2007-12-04 08:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-24 11:32 . 2007-12-04 08:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-22 19:39 . 2008-01-22 19:39 d-------- C:\Program Files\Alwil Software
2008-01-22 14:50 . 2008-01-22 14:50 d-------- C:\WINDOWS\system32\AppCert
2008-01-22 14:49 . 2008-01-22 14:49 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-22 14:49 . 2008-01-22 14:49 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-14 11:17 . 2008-01-14 11:17 d-------- C:\Program Files\Axis Communications