Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

D

dzboo

22 Posts

1622

November 30th, 2007 03:00

Control panel is gone and have a popup "Warning! Potential Spyware Operation"

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:42:15 PM, on 11/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\proper.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\proper.exe
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [D066UUtility] C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe"
O4 - HKLM\..\Run: [winshow] "C:\WINDOWS\winshow.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Undefined] C:\WINDOWS\system32\winter.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [LaunchList] C:\Program Files\Pinnacle\Studio 11\LaunchList2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uaol] "C:\PROGRA~1\COMMON~1\YSTEM3~1\wuaclt.exe" -vt yazb
O4 - HKCU\..\Run: [Undefined] C:\WINDOWS\system32\winter.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [froody] C:\WINDOWS\system32\timoty.exe
O4 - HKCU\..\RunOnce: [CheckNetworkConnection] "C:\Program Files\Support.com\providerComcast\desktopdoctor.exe" /flow /flow=diagnosenetwork /trayclick=true /haveconfirmedwiring=true /haverenewed=true /haverestartedmodem=true /onrestart=true /havehealed=true /issuenumber=295eb979-13c3-49db-8ac9-a18c2579694c
O4 - Startup: infos.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: autos.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\PrintMaster 16\pmremind.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Search - ?p=ZNxdm119KNUS
O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/downloads/tgctlcm.cab
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\sol742.txt
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PCLEPCI - Pinnacle Systems GmbH - C:\WINDOWS\system32\drivers\pclepci.sys
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Windows Media Player\propryhde.html

Bugbatter

20.5K Posts

November 30th, 2007 04:00

Welcome. Thank you for using Dell Community Forums. Father Christmas 2
I am reviewing your log.
In the meantime, you can help me by doing the following:

* Have you have posted this log on another forum? If so, please provide a link to the topic.

* If you are using any cracked software, please remove it.
Definition of cracked software:
http://en.wikipedia.org/wiki/Software_cracking

* If you are using any P2P (file sharing) programs, please remove them before we clean your computer.
The nature of such software and the high incidence of malware in files downloaded with them is counter productive to restoring your PC to a healthy state.

* If this computer belongs to someone else, do you have authority to apply the fixes we will use?

* Have you already fixed entries using HijackThis? If so, please restore all the backups and then post another log. Please do not do anything else until you get further instructions.

* After we begin working, please print or copy all instructions to Notepad in order to assist you when carrying out procedures.
Please follow all instructions in sequence, and do not run any fixes or scanners on your own because this may cause conflicts with the tools that I am using.

* If your replies do not fit in one post while we are handling your issue, please reply to yourself until all text is submitted. It may take several posts.

* Please disable realtime monitoring, except for your anti-virus, so it does not interfere while we are fixing your system. Refer to this page for information on disabling any realtime monitoring before we start working on a fix for your problem. That would be your AVG Anti-Spyware.

Disable Realtime Monitoring

I look forward to your reply.
























dzboo

22 Posts

December 1st, 2007 06:00

Thanks Bugbatter for you quick response.
Complied with everything you asked.  All set to get this fixed.

Bugbatter

20.5K Posts

December 1st, 2007 12:00

Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click Smitfraudfix.exe
Select option #1 - Search by typing 1 and press " Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

IMPORTANT: Do NOT run any other options until you are asked to do so!

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool";
it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

dzboo

22 Posts

December 2nd, 2007 05:00

SmitFraudFix v2.256
Scan done at 23:11:31.39, Sat 12/01/2007
Run from C:\Documents and Settings\David\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe
C:\WINDOWS\system32\winter.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
C:\WINDOWS\system32\bronto.dll FOUND !
C:\WINDOWS\system32\proper.exe FOUND !
C:\WINDOWS\system32\winter.exe FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\David

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\David\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
C:\DOCUME~1\David\STARTM~1\Programs\Startup\infos.exe FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\autos.exe FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\David\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
 
 
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\WINDOWS\\system32\\sol742.txt"

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock
 
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Intel(R) PRO/1000 PL Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 66.75.164.90
DNS Server Search Order: 66.75.164.89
HKLM\SYSTEM\CCS\Services\Tcpip\..\{949B6681-2D98-403D-B2DF-1D0562AC4628}: DhcpNameServer=66.75.164.90 66.75.164.89
HKLM\SYSTEM\CS1\Services\Tcpip\..\{949B6681-2D98-403D-B2DF-1D0562AC4628}: DhcpNameServer=66.75.164.90 66.75.164.89
HKLM\SYSTEM\CS2\Services\Tcpip\..\{949B6681-2D98-403D-B2DF-1D0562AC4628}: DhcpNameServer=66.75.164.90 66.75.164.89
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=66.75.164.90 66.75.164.89
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=66.75.164.90 66.75.164.89
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=66.75.164.90 66.75.164.89

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

Bugbatter

20.5K Posts

December 2nd, 2007 18:00

Please print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

AVG AS is still running.
Open AVG Anti-Spyware. The main "Status" menu will appear. Select "Change state" to inactivate 'Resident Shield' and 'Automatic Updates'. Right-click on AVG AS in the system tray and uncheck "Start with Windows".
Go to Start > Run and type: services.msc
Press "OK".
In Services, click the "Extended tab" and scroll down the list to find AVG Anti-Spyware Guard.
When you find the guard service, double-click on it.
In the Properties Window > General Tab that opens, click the "Stop" button.
From the drop-down menu next to "Startup Type", click on "Manual".
Now click "Apply", then "OK" and close the Services window.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click on SmitfraudFix.exe again.
Select option #2 - Clean by typing 2 and press " Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report along with all others into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : Running option #2 on a non-infected computer will remove your Desktop background. You can reapply your desktop background again afterwards
.

____________________________________________________________

Clean out your Temporary Internet files. Proceed like this:
  • Quit Internet Explorer and quit any instances of Windows Explorer.
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.
Next Click Start, click Control Panel and then double-click Display.
Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.
Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin
______________________________


In your next reply please include:

1. The report from SmitfraudFix found here: C:\rapport.txt
2. A fresh HijackThis log

You may need several replies to post the requested logs; otherwise they might get cut off.

Message Edited by Bugbatter on 12-02-2007 03:38 PM

dzboo

22 Posts

December 3rd, 2007 06:00

Thanks for all your help.
 
I ran Smitfraudfix, but when it prompted me for Registry cleaning and after typing Y, a message popped up "Registry editing has been disabled by your administrator."  even though i am the administrator. 
 
The control panel is still missing, so i went to the Internet Options through the Internet Explorer, Tools menu.  I  deleted the temporary internet files and cookies.  When I went to the Programs tab there wasn't a Reset Web Settings button.  I was not able to do any of the Control Panel, Display instructions.
 
The following are the smitfraudfix report and the HIjackthis log.
 
 

dzboo

22 Posts

December 3rd, 2007 06:00

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:49:26 PM, on 12/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\proper.exe
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [D066UUtility] C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe"
O4 - HKLM\..\Run: [winshow] "C:\WINDOWS\winshow.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [LaunchList] C:\Program Files\Pinnacle\Studio 11\LaunchList2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uaol] "C:\PROGRA~1\COMMON~1\YSTEM3~1\wuaclt.exe" -vt yazb
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [froody] C:\WINDOWS\system32\timoty.exe
O4 - HKCU\..\RunOnce: [CheckNetworkConnection] "C:\Program Files\Support.com\providerComcast\desktopdoctor.exe" /flow /flow=diagnosenetwork /trayclick=true /haveconfirmedwiring=true /haverenewed=true /haverestartedmodem=true /onrestart=true /havehealed=true /issuenumber=295eb979-13c3-49db-8ac9-a18c2579694c
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\PrintMaster 16\pmremind.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Search - ?p=ZNxdm119KNUS
O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/downloads/tgctlcm.cab
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\sol742.txt
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PCLEPCI - Pinnacle Systems GmbH - C:\WINDOWS\system32\drivers\pclepci.sys
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Windows Media Player\propryhde.html

--
End of file - 11453 bytes

dzboo

22 Posts

December 3rd, 2007 06:00

SmitFraudFix v2.256
Scan done at 23:38:59.32, Sun 12/02/2007
Run from C:\Documents and Settings\David\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

192.168.200.3 ad.doubleclick.net
192.168.200.3 ad.fastclick.net
192.168.200.3 ads.fastclick.net
192.168.200.3 ar.atwola.com
192.168.200.3 atdmt.com
192.168.200.3 avp.ch
192.168.200.3 avp.com
192.168.200.3 avp.ru
192.168.200.3 awaps.net
192.168.200.3 banner.fastclick.net
192.168.200.3 banners.fastclick.net
192.168.200.3 ca.com
192.168.200.3 click.atdmt.com
192.168.200.3 clicks.atdmt.com
192.168.200.3 customer.symantec.com
192.168.200.3 dispatch.mcafee.com
192.168.200.3 download.mcafee.com
192.168.200.3 downloads-us1.kaspersky-labs.com
192.168.200.3 downloads-us2.kaspersky-labs.com
192.168.200.3 downloads-us3.kaspersky-labs.com
192.168.200.3 downloads1.kaspersky-labs.com
192.168.200.3 downloads2.kaspersky-labs.com
192.168.200.3 downloads3.kaspersky-labs.com
192.168.200.3 downloads4.kaspersky-labs.com
192.168.200.3 engine.awaps.net
192.168.200.3 f-secure.com
192.168.200.3 fastclick.net
192.168.200.3  ftp.avp.ch
192.168.200.3  ftp.downloads1.kaspersky-labs.com
192.168.200.3  ftp.downloads2.kaspersky-labs.com
192.168.200.3  ftp.downloads3.kaspersky-labs.com
192.168.200.3  ftp.f-secure.com
192.168.200.3  ftp.kasperskylab.ru
192.168.200.3  ftp.sophos.com
192.168.200.3 ids.kaspersky-labs.com
192.168.200.3 kaspersky-labs.com
192.168.200.3 kaspersky.com
192.168.200.3 liveupdate.symantec.com
192.168.200.3 liveupdate.symantecliveupdate.com
192.168.200.3 mast.mcafee.com
192.168.200.3 mcafee.com
192.168.200.3 media.fastclick.net
192.168.200.3 my-etrust.com
192.168.200.3 nai.com
192.168.200.3 networkassociates.com
192.168.200.3 norton.com
192.168.200.3 phx.corporate-ir.net
192.168.200.3 rads.mcafee.com
192.168.200.3 secure.nai.com
192.168.200.3 securityresponse.symantec.com
192.168.200.3 service1.symantec.com
192.168.200.3 sophos.com
192.168.200.3 spd.atdmt.com
192.168.200.3 symantec.com
192.168.200.3 trendmicro.com
192.168.200.3 update.symantec.com
192.168.200.3 updates.symantec.com
192.168.200.3 updates1.kaspersky-labs.com
192.168.200.3 updates2.kaspersky-labs.com
192.168.200.3 updates3.kaspersky-labs.com
192.168.200.3 updates4.kaspersky-labs.com
192.168.200.3 updates5.kaspersky-labs.com
192.168.200.3 us.mcafee.com
192.168.200.3 vil.nai.com
192.168.200.3 viruslist.com
192.168.200.3 viruslist.ru
192.168.200.3 virusscan.jotti.org
192.168.200.3 virustotal.com
192.168.200.3  www.avp.ch
192.168.200.3  www.avp.com
192.168.200.3  www.avp.ru
192.168.200.3  www.awaps.net
192.168.200.3  www.ca.com
192.168.200.3  www.f-secure.com
192.168.200.3  www.fastclick.net
192.168.200.3  www.grisoft.com
192.168.200.3  www.kaspersky-labs.com
192.168.200.3  www.kaspersky.com
192.168.200.3  www.kaspersky.ru
192.168.200.3  www.mcafee.com
192.168.200.3  www.my-etrust.com
192.168.200.3  www.nai.com
192.168.200.3  www.networkassociates.com
192.168.200.3  www.sophos.com
192.168.200.3  www.symantec.com
192.168.200.3  www.symantec.com
192.168.200.3  www.trendmicro.com
192.168.200.3  www.viruslist.com
192.168.200.3  www.viruslist.ru
192.168.200.3  www.virustotal.com
192.168.200.3 www3.ca.com
»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix
S!Ri's WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
C:\WINDOWS\system32\bronto.dll Deleted
C:\WINDOWS\system32\proper.exe Deleted
C:\WINDOWS\system32\winter.exe Deleted
C:\DOCUME~1\David\STARTM~1\Programs\Startup\infos.exe Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\autos.exe Deleted
»»»»»»»»»»»»»»»»»»»»»»»» DNS
HKLM\SYSTEM\CCS\Services\Tcpip\..\{949B6681-2D98-403D-B2DF-1D0562AC4628}: DhcpNameServer=66.75.164.90 66.75.164.89
HKLM\SYSTEM\CS1\Services\Tcpip\..\{949B6681-2D98-403D-B2DF-1D0562AC4628}: DhcpNameServer=66.75.164.90 66.75.164.89
HKLM\SYSTEM\CS2\Services\Tcpip\..\{949B6681-2D98-403D-B2DF-1D0562AC4628}: DhcpNameServer=66.75.164.90 66.75.164.89
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=66.75.164.90 66.75.164.89
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=66.75.164.90 66.75.164.89
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=66.75.164.90 66.75.164.89

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
 
Registry Cleaning done.
 
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

Bugbatter

20.5K Posts

December 3rd, 2007 11:00

Please download HostsXpert
  • And Save it to your Desktop
  • Rt Click Hoster.zip->>Extract all->>Extract it to your Desktop (or your C:\ drive)
  • Open The Hoster folder->>Double Click HostsXpert.exe
  • When the program Opens Click The "Restore MS Hosts File" button in the left pane.
  • Then select "Restore Original Hosts" when prompted.
  • Close the Hoster program when complete
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.


Following that, please do this:
1. Download Combofix from here:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
** Take note that the link is case sensitive
Save ComboFix to the desktop. **Note: It is important that it is saved directly to, and run from your desktop**

In the event you already have Combofix, please delete it as this is a new version.
* Close any open browsers. Disconnect from the internet.
* Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

2. Double click ComboFix.exe and follow the prompts.
You will temporarily lose the Desktop while the scan is running. Once the scan is done your Desktop will return to normal.

3. When finished, it will produce a log for you. Post that log in your next reply along with a fresh HijackThis log.

Notes:
* Do not mouseclick ComboFix's window while it's running. That may cause it to stall.
* ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

* Don't forget to enable your anti-virus before coming back online to post your logs.

The above instructions have been created specifically for this user. If you are not this user, do NOT follow these directions.

dzboo

22 Posts

December 3rd, 2007 21:00

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:23:32 PM, on 12/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: (no name) - {00BC597C-6DDA-4A28-8C6A-87F81C2749C2} - C:\WINDOWS\system32\cfcggphw.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {146315AF-DA48-82E0-1A13-8E8DBA21D5E8} - C:\WINDOWS\system32\spvhlel.dll (file missing)
O2 - BHO: (no name) - {4DA36B1D-B12D-43A1-9ABB-49464EF50FC3} - C:\WINDOWS\system32\vtsqo.dll (file missing)
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {5D0077E3-79F9-4424-B014-F5822BBFD106} - C:\WINDOWS\system32\ddabc.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {AA6B75BE-D733-42A8-8B98-709ED8030739} - C:\WINDOWS\system32\vtsqp.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {C8E8ECB7-92E6-4536-AAF8-02D7C0B80E13} - C:\WINDOWS\system32\awtqn.dll (file missing)
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [D066UUtility] C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [LaunchList] C:\Program Files\Pinnacle\Studio 11\LaunchList2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uaol] "C:\PROGRA~1\COMMON~1\YSTEM3~1\wuaclt.exe" -vt yazb
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [froody] C:\WINDOWS\system32\timoty.exe
O4 - HKCU\..\RunOnce: [CheckNetworkConnection] "C:\Program Files\Support.com\providerComcast\desktopdoctor.exe" /flow /flow=diagnosenetwork /trayclick=true /haveconfirmedwiring=true /haverenewed=true /haverestartedmodem=true /onrestart=true /havehealed=true /issuenumber=295eb979-13c3-49db-8ac9-a18c2579694c
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\PrintMaster 16\pmremind.exe
O8 - Extra context menu item: &Search - ?p=ZNxdm119KNUS
O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/downloads/tgctlcm.cab
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O20 - Winlogon Notify: cbxwuts - cbxwuts.dll (file missing)
O20 - Winlogon Notify: efcyxuu - efcyxuu.dll (file missing)
O20 - Winlogon Notify: fccddab - fccddab.dll (file missing)
O20 - Winlogon Notify: gebawxv - gebawxv.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PCLEPCI - Pinnacle Systems GmbH - C:\WINDOWS\system32\drivers\pclepci.sys
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 12741 bytes

dzboo

22 Posts

December 3rd, 2007 21:00

(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_FOPN
-------\runtime


(((((((((((((((((((((((((   Files Created from 2007-11-03 to 2007-12-03  )))))))))))))))))))))))))))))))
.

2007-12-01 23:11 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-12-01 23:11 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-12-01 23:11 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-12-01 23:11 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-12-01 23:11 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-12-01 23:11 . 2007-12-02 23:39 4,806 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-29 20:41 . 2007-11-29 20:41   d-------- C:\Program Files\Trend Micro
2007-11-21 20:40 . 2007-11-21 20:40   d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-11-21 20:36 . 2007-11-22 08:44 289,280 --a------ C:\WINDOWS\system32\libcurl.dll
2007-11-21 20:02 . 2007-11-21 20:02   d-------- C:\Documents and Settings\David\Application Data\Grisoft
2007-11-21 19:57 . 2007-11-21 19:57   d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-21 19:57 . 2007-05-30 04:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-20 20:50 . 2007-11-20 20:50   d--h----- C:\WINDOWS\system32\GroupPolicy
2007-11-20 16:41 . 2007-11-20 21:09 689,200 --ahs---- C:\WINDOWS\system32\oknngkbu.ini
2007-11-20 09:32 . 2007-11-20 09:32 4,286 --a------ C:\WINDOWS\system32\everybodybets.32x32.4.ico
2007-11-20 09:18 . 2007-11-20 09:18 2,538 --a------ C:\WINDOWS\system32\ebay.ico
2007-11-18 20:20 . 2007-11-19 09:14 609,543 --ahs---- C:\WINDOWS\system32\xwsmdsam.ini
2007-11-17 20:20 . 2007-11-17 20:20 606,162 --ahs---- C:\WINDOWS\system32\vmniwjwf.ini
2007-11-16 13:33 . 2007-11-17 20:17 606,102 --ahs---- C:\WINDOWS\system32\ecknncap.ini
2007-11-15 13:39 . 2007-11-15 20:49 575,693 --ahs---- C:\WINDOWS\system32\kqpcsvsc.ini
2007-11-14 13:37 . 2007-11-15 13:38 590,306 --ahs---- C:\WINDOWS\system32\ygunptvn.ini
2007-11-13 13:28 . 2007-11-14 13:29 592,248 --ahs---- C:\WINDOWS\system32\uplthxtx.ini
2007-11-12 13:36 . 2007-11-13 13:28 667,372 --ahs---- C:\WINDOWS\system32\yvmlcdaf.ini
2007-11-11 13:27 . 2007-11-12 13:28 591,016 --ahs---- C:\WINDOWS\system32\jacgghgr.ini
2007-11-10 13:28 . 2007-11-11 12:22 584,785 --ahs---- C:\WINDOWS\system32\atyhvcha.ini
2007-11-09 13:31 . 2007-11-09 13:32 584,656 --ahs---- C:\WINDOWS\system32\xfniyalc.ini
2007-11-07 20:17 . 2007-11-09 13:26 584,596 --ahs---- C:\WINDOWS\system32\uarwsqpt.ini
2007-11-06 20:17 . 2007-11-07 02:13 570,004 --ahs---- C:\WINDOWS\system32\dytbaykg.ini
2007-11-06 08:05 . 2007-11-21 21:21   d-------- C:\WINDOWS\system32\Mz02r
2007-11-06 08:05 . 2007-11-06 08:05   d-------- C:\Temp\mZOr

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-03 22:18 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k7
2007-12-03 22:18 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k6
2007-12-03 22:18 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k5
2007-12-03 22:18 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k4
2007-12-03 22:18 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k3
2007-12-03 22:18 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k2
2007-12-03 22:18 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k1
2007-12-03 22:18 116,142 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k0
2007-11-22 08:36 --------- d-----w C:\Program Files\Pinnacle
2007-11-21 23:44 --------- d-----w C:\Program Files\Google
2007-11-21 08:16 --------- d-----w C:\Documents and Settings\nini.BOO\Application Data\AdobeUM
2007-11-20 17:08 --------- d-----w C:\Documents and Settings\David\Application Data\uTorrent
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-09-12 19:24 1,670 ----a-w C:\Documents and Settings\nini.BOO\Application Data\wklnhst.dat
2007-07-13 20:39 3,556 ----a-w C:\Documents and Settings\David\Application Data\wklnhst.dat
2007-02-23 21:43 87,608 ----a-w C:\Documents and Settings\David\Application Data\ezpinst.exe
2007-02-23 21:43 47,360 ----a-w C:\Documents and Settings\David\Application Data\pcouffin.sys
2007-04-16 03:44 88 --sh--r C:\WINDOWS\system32\D577F08366.sys
2007-04-16 03:44 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00BC597C-6DDA-4A28-8C6A-87F81C2749C2}]
   C:\WINDOWS\system32\cfcggphw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{146315AF-DA48-82E0-1A13-8E8DBA21D5E8}]
   C:\WINDOWS\system32\spvhlel.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4DA36B1D-B12D-43A1-9ABB-49464EF50FC3}]
   C:\WINDOWS\system32\vtsqo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5D0077E3-79F9-4424-B014-F5822BBFD106}]
   C:\WINDOWS\system32\ddabc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA6B75BE-D733-42A8-8B98-709ED8030739}]
   C:\WINDOWS\system32\vtsqp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C8E8ECB7-92E6-4536-AAF8-02D7C0B80E13}]
   C:\WINDOWS\system32\awtqn.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09]
"LaunchList"="C:\Program Files\Pinnacle\Studio 11\LaunchList2.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 02:00]
"Uaol"="C:\PROGRA~1\COMMON~1\YSTEM3~1\wuaclt.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-04 09:28]
"froody"="C:\WINDOWS\system32\timoty.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"CheckNetworkConnection"="C:\Program Files\Support.com\providerComcast\desktopdoctor.exe" [2006-01-09 15:45]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 11:01]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 20:20 C:\WINDOWS\stsystra.exe]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 04:56]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 18:05]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 07:44]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 07:44]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 02:20]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2005-03-15 01:46]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2005-03-23 15:26]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [2007-03-07 09:58]
"D066UUtility"="C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE" [2000-07-06 19:11]
"dvd43"="C:\Program Files\dvd43\dvd43_tray.exe" [2006-05-22 13:26]
"SMSystemAnalyzer"="C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe" [2007-03-27 08:53]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 00:12]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 08:18]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-08-28 07:39]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2007-06-12 11:32]
"cafwc"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2007-08-27 23:36]
"capfasem"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2007-08-27 23:36]
"capfupgrade"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2007-08-27 23:36]
"QOELOADER"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe" [2007-08-27 23:36]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2006-04-20 12:19:57]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-04-20 12:18:07]
Event Reminder.lnk - C:\Program Files\PrintMaster 16\pmremind.exe [2004-01-20 02:10:40]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxwuts]
cbxwuts.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcyxuu]
efcyxuu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccddab]
fccddab.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebawxv]
gebawxv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
UmxWnp.Dll 2007-05-18 13:30 79368 C:\WINDOWS\system32\UmxWNP.dll

R0 KmxStart;KmxStart;C:\WINDOWS\system32\DRIVERS\kmxstart.sys
R1 KmxAgent;KmxAgent;C:\WINDOWS\system32\DRIVERS\kmxagent.sys
R1 KmxFile;KmxFile;C:\WINDOWS\system32\DRIVERS\KmxFile.sys
R1 KmxFw;KmxFw;C:\WINDOWS\system32\DRIVERS\kmxfw.sys
R2 KmxCF;KmxCF;C:\WINDOWS\system32\DRIVERS\KmxCF.sys
R2 KmxSbx;KmxSbx;C:\WINDOWS\system32\DRIVERS\KmxSbx.sys
R2 UmxAgent;HIPS Event Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe"
R2 UmxCfg;HIPS Configuration Interpreter;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe"
R2 UmxPol;HIPS Policy Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe"
R3 Angel2;Angel II MPEG Device;C:\WINDOWS\system32\DRIVERS\Angel2.sys
R3 KmxCfg;KmxCfg;C:\WINDOWS\system32\DRIVERS\kmxcfg.sys
R3 PPCtlPriv;PPCtlPriv;"C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe"
S3 C-Dilla;C-Dilla;\??\C:\WINDOWS\system32\drivers\CDANT.SYS

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-24 02:28:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-10-29 06:53:26 C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as David at 8 24 PM.job"
- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-03 14:21:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-03 14:32:02 - machine was rebooted
.
 --- E O F ---

dzboo

22 Posts

December 3rd, 2007 21:00

thanks again,

 

followed the instructions for HostsXpert, however it didn't seem like it did anything.  I have no idea?

 

anyway here are the logs from combofix and hijackthis.

 

________________________________________________________________________________

 

ComboFix 07-12-02.7 - David 2007-12-03 14:08:14.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.2407 [GMT -8:00]
Running from: C:\Documents and Settings\David\Desktop\ComboFix.exe
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\infos.exe
C:\Documents and Settings\All Users\Application Data.\salesmonitor
C:\Documents and Settings\All Users\Application Data.\Starware316
C:\Documents and Settings\All Users\Application Data.\Starware316\buttons\FindIt.bmp
C:\Documents and Settings\All Users\Application Data.\Starware316\buttons\FindItHot.bmp
C:\Documents and Settings\All Users\Application Data.\Starware316\buttons\findithotxp.png
C:\Documents and Settings\All Users\Application Data.\Starware316\buttons\finditxp.png
C:\Documents and Settings\All Users\Application Data.\Starware316\buttons\Highlight.bmp
C:\Documents and Settings\All Users\Application Data.\Starware316\buttons\HighlightHot.bmp
C:\Documents and Settings\All Users\Application Data.\Starware316\buttons\highlighthotxp.png
C:\Documents and Settings\All Users\Application Data.\Starware316\buttons\highlightxp.png
C:\Documents and Settings\All Users\Application Data.\Starware316\buttons\logo.bmp
C:\Documents and Settings\All Users\Application Data.\Starware316\buttons\logoxp.bmp
C:\Documents and Settings\All Users\Application Data.\Starware316\buttons\Reference.bmp
C:\Documents and Settings\All Users\Application Data.\Starware316\buttons\ReferenceHot.bmp
C:\Documents and Settings\All Users\Application Data.\Starware316\buttons\referencehotxp.png
C:\Documents and Settings\All Users\Application Data.\Starware316\buttons\referencexp.png
C:\Documents and Settings\All Users\Application Data.\Starware316\buttons\screensaver.bmp
C:\Documents and Settings\All Users\Application Data.\Starware316\buttons\Screensavers0.bmp
C:\Documents and Settings\All Users\Application Data.\Starware316\buttons\Weather.bmp
C:\Documents and Settings\All Users\Application Data.\Starware316\buttons\weatherhotxp.png
C:\Documents and Settings\All Users\Application Data.\Starware316\buttons\weatherxp.png
C:\Documents and Settings\All Users\Application Data.\Starware316\contexts\error.xml
C:\Documents and Settings\All Users\Application Data.\Starware316\contexts\related.xml
C:\Documents and Settings\All Users\Application Data.\Starware316\contexts\Travel.xml
C:\Documents and Settings\All Users\Application Data.\Starware316\Games\images\active\Games0.bmp
C:\Documents and Settings\All Users\Application Data.\Starware316\images\walertXP.bmp
C:\Documents and Settings\All Users\Application Data.\Starware316\Movies\images\active\Movies0.bmp
C:\Documents and Settings\All Users\Application Data.\Starware316\ScreensaversMarketingSitePager\images\active\ScreensaversMarketingSitePager0.bmp
C:\Documents and Settings\All Users\Application Data.\Starware316\SimpleUpdate\ProductMessagingConfig.xml
C:\Documents and Settings\All Users\Application Data.\Starware316\SimpleUpdate\ProductMessagingConfig.xml.backup
C:\Documents and Settings\All Users\Application Data.\Starware316\SimpleUpdate\SimpleUpdateConfig.xml
C:\Documents and Settings\All Users\Application Data.\Starware316\SimpleUpdate\SimpleUpdateConfig.xml.backup
C:\Documents and Settings\All Users\Application Data.\Starware316\SimpleUpdate\TimerManagerConfig.xml
C:\Documents and Settings\All Users\Application Data.\Starware316\SimpleUpdate\TimerManagerConfig.xml.backup
C:\Documents and Settings\All Users\Application Data.\winantispyware 2007
C:\Documents and Settings\All Users\Application Data.\winantispyware 2007\Data\Abbr
C:\Documents and Settings\All Users\Application Data.\winantispyware 2007\Data\ProductCode
C:\Documents and Settings\All Users\Application Data\Starware316\buttons\FindIt.bmp
C:\Documents and Settings\All Users\Application Data\Starware316\buttons\FindItHot.bmp
C:\Documents and Settings\All Users\Application Data\Starware316\buttons\findithotxp.png
C:\Documents and Settings\All Users\Application Data\Starware316\buttons\finditxp.png
C:\Documents and Settings\All Users\Application Data\Starware316\buttons\Highlight.bmp
C:\Documents and Settings\All Users\Application Data\Starware316\buttons\HighlightHot.bmp
C:\Documents and Settings\All Users\Application Data\Starware316\buttons\highlighthotxp.png
C:\Documents and Settings\All Users\Application Data\Starware316\buttons\highlightxp.png
C:\Documents and Settings\All Users\Application Data\Starware316\buttons\logo.bmp
C:\Documents and Settings\All Users\Application Data\Starware316\buttons\logoxp.bmp
C:\Documents and Settings\All Users\Application Data\Starware316\buttons\Reference.bmp
C:\Documents and Settings\All Users\Application Data\Starware316\buttons\ReferenceHot.bmp
C:\Documents and Settings\All Users\Application Data\Starware316\buttons\referencehotxp.png
C:\Documents and Settings\All Users\Application Data\Starware316\buttons\referencexp.png
C:\Documents and Settings\All Users\Application Data\Starware316\buttons\screensaver.bmp
C:\Documents and Settings\All Users\Application Data\Starware316\buttons\Screensavers0.bmp
C:\Documents and Settings\All Users\Application Data\Starware316\buttons\Weather.bmp
C:\Documents and Settings\All Users\Application Data\Starware316\buttons\weatherhotxp.png
C:\Documents and Settings\All Users\Application Data\Starware316\buttons\weatherxp.png
C:\Documents and Settings\All Users\Application Data\Starware316\contexts\error.xml
C:\Documents and Settings\All Users\Application Data\Starware316\contexts\related.xml
C:\Documents and Settings\All Users\Application Data\Starware316\contexts\Travel.xml
C:\Documents and Settings\All Users\Application Data\Starware316\Games\images\active\Games0.bmp
C:\Documents and Settings\All Users\Application Data\Starware316\images\walertXP.bmp
C:\Documents and Settings\All Users\Application Data\Starware316\Movies\images\active\Movies0.bmp
C:\Documents and Settings\All Users\Application Data\Starware316\ScreensaversMarketingSitePager\images\active\ScreensaversMarketingSitePager0.bmp
C:\Documents and Settings\All Users\Application Data\Starware316\SimpleUpdate\ProductMessagingConfig.xml
C:\Documents and Settings\All Users\Application Data\Starware316\SimpleUpdate\ProductMessagingConfig.xml.backup
C:\Documents and Settings\All Users\Application Data\Starware316\SimpleUpdate\SimpleUpdateConfig.xml
C:\Documents and Settings\All Users\Application Data\Starware316\SimpleUpdate\SimpleUpdateConfig.xml.backup
C:\Documents and Settings\All Users\Application Data\Starware316\SimpleUpdate\TimerManagerConfig.xml
C:\Documents and Settings\All Users\Application Data\Starware316\SimpleUpdate\TimerManagerConfig.xml.backup
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\Abbr
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\ProductCode
C:\Documents and Settings\David\Application Data\macromedia\Flash Player\#SharedObjects\K69QC2B7\www.broadcaster.com
C:\Documents and Settings\David\Application Data\macromedia\Flash Player\#SharedObjects\K69QC2B7\www.broadcaster.com\played_list.sol
C:\Documents and Settings\David\Application Data\macromedia\Flash Player\#SharedObjects\K69QC2B7\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\David\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\David\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\David\Application Data\Starware316
C:\Documents and Settings\David\Application Data\Starware316\Manager\ManagerOptions.xml
C:\Documents and Settings\David\Application Data\Starware316\Manager\ManagerOptions.xml.backup
C:\Documents and Settings\David\err.log
C:\Documents and Settings\David\My Documents\SMANTE~1
C:\Documents and Settings\nini.BOO\Application Data\Starware316
C:\Documents and Settings\nini.BOO\Application Data\Starware316\BrowserSearch\BrowserSearch.xml
C:\Documents and Settings\nini.BOO\Application Data\Starware316\BrowserSearch\BrowserSearch.xml.backup
C:\Documents and Settings\nini.BOO\Application Data\Starware316\Configurator\Configurator.xml
C:\Documents and Settings\nini.BOO\Application Data\Starware316\Configurator\Configurator.xml.backup
C:\Documents and Settings\nini.BOO\Application Data\Starware316\ErrorSearch\ErrorSearchOptions.xml
C:\Documents and Settings\nini.BOO\Application Data\Starware316\ErrorSearch\ErrorSearchOptions.xml.backup
C:\Documents and Settings\nini.BOO\Application Data\Starware316\Games\GamesOptions.xml
C:\Documents and Settings\nini.BOO\Application Data\Starware316\Games\GamesOptions.xml.backup
C:\Documents and Settings\nini.BOO\Application Data\Starware316\Layouts\PitchLayout.xml
C:\Documents and Settings\nini.BOO\Application Data\Starware316\Layouts\PitchLayout.xml.backup
C:\Documents and Settings\nini.BOO\Application Data\Starware316\Layouts\PreferencesLayout.xml
C:\Documents and Settings\nini.BOO\Application Data\Starware316\Layouts\PreferencesLayout.xml.backup
C:\Documents and Settings\nini.BOO\Application Data\Starware316\Layouts\ToolbarLayout.xml
C:\Documents and Settings\nini.BOO\Application Data\Starware316\Layouts\ToolbarLayout.xml.backup
C:\Documents and Settings\nini.BOO\Application Data\Starware316\Manager\ManagerOptions.xml
C:\Documents and Settings\nini.BOO\Application Data\Starware316\Manager\ManagerOptions.xml.backup
C:\Documents and Settings\nini.BOO\Application Data\Starware316\Movies\MoviesOptions.xml
C:\Documents and Settings\nini.BOO\Application Data\Starware316\Movies\MoviesOptions.xml.backup
C:\Documents and Settings\nini.BOO\Application Data\Starware316\Reference\ReferenceOptions.xml
C:\Documents and Settings\nini.BOO\Application Data\Starware316\Reference\ReferenceOptions.xml.backup
C:\Documents and Settings\nini.BOO\Application Data\Starware316\RelatedSearch\RelatedSearchOptions.xml
C:\Documents and Settings\nini.BOO\Application Data\Starware316\RelatedSearch\RelatedSearchOptions.xml.backup
C:\Documents and Settings\nini.BOO\Application Data\Starware316\Screensavers\ScreensaversOptions.xml
C:\Documents and Settings\nini.BOO\Application Data\Starware316\Screensavers\ScreensaversOptions.xml.backup
C:\Documents and Settings\nini.BOO\Application Data\Starware316\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml
C:\Documents and Settings\nini.BOO\Application Data\Starware316\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml.backup
C:\Documents and Settings\nini.BOO\Application Data\Starware316\SearchAssistPlus\SearchAssistPlusOptions.xml
C:\Documents and Settings\nini.BOO\Application Data\Starware316\SearchAssistPlus\SearchAssistPlusOptions.xml.backup
C:\Documents and Settings\nini.BOO\Application Data\Starware316\SearchMatch\SearchMatchOptions.xml
C:\Documents and Settings\nini.BOO\Application Data\Starware316\SearchMatch\SearchMatchOptions.xml.backup
C:\Documents and Settings\nini.BOO\Application Data\Starware316\Toolbar\TBProductsOptions.xml
C:\Documents and Settings\nini.BOO\Application Data\Starware316\Toolbar\TBProductsOptions.xml.backup
C:\Documents and Settings\nini.BOO\Application Data\Starware316\ToolbarLogo\ToolbarLogoOptions.xml
C:\Documents and Settings\nini.BOO\Application Data\Starware316\ToolbarLogo\ToolbarLogoOptions.xml.backup
C:\Documents and Settings\nini.BOO\Application Data\Starware316\ToolbarSearch\ToolbarSearchOptions.xml
C:\Documents and Settings\nini.BOO\Application Data\Starware316\ToolbarSearch\ToolbarSearchOptions.xml.backup
C:\Documents and Settings\nini.BOO\Application Data\Starware316\TravelSearch\TravelSearchOptions.xml
C:\Documents and Settings\nini.BOO\Application Data\Starware316\TravelSearch\TravelSearchOptions.xml.backup
C:\Documents and Settings\nini.BOO\Application Data\Starware316\Weather\AlertArchive.xml
C:\Documents and Settings\nini.BOO\Application Data\Starware316\Weather\WeatherOptions.xml
C:\Documents and Settings\nini.BOO\Application Data\Starware316\Weather\WeatherOptions.xml.backup
C:\Documents and Settings\nini.BOO\err.log
C:\Documents and Settings\nini.BOO\Start Menu\Programs\Startup\infos.exe
C:\Program Files\Common Files\ystem3~1
C:\Program Files\Common Files\ystem3~1\?ystem32\
C:\Program Files\poolsv
C:\Program Files\poolsv\k11u72.exe
C:\Program Files\poolsv\YazzleBundle-1549.exe
C:\Program Files\svhost
C:\Program Files\Temporary
C:\Program Files\Windows Media Player\propryhde.html
C:\Program Files\wss.dll
C:\temp\ 0b9
C:\temp\ 0b9\tmpTF.log
C:\temp\ 0c2
C:\temp\ 0c2\tmpFF.log
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\abW9
C:\Temp\abW9\tOasF.log
C:\temp\brr
C:\temp\brr\tmpZTF.log
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\temp\iee
C:\temp\tn3
C:\WINDOWS\cookies.ini
C:\WINDOWS\dracee.exe
C:\WINDOWS\system32\8_exception.nls
C:\WINDOWS\system32\A1
C:\WINDOWS\system32\b02FdUe
C:\WINDOWS\system32\b10FdUe
C:\WINDOWS\system32\bbadd.bak1
C:\WINDOWS\system32\bbadd.bak2
C:\WINDOWS\system32\bbadd.ini
C:\WINDOWS\system32\ddabb.dll
C:\WINDOWS\system32\dobe~1
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\f10WtR
C:\WINDOWS\system32\L1
C:\WINDOWS\system32\L11
C:\WINDOWS\system32\L3
C:\WINDOWS\system32\L5
C:\WINDOWS\system32\L7
C:\WINDOWS\system32\lxpmlhwd.dll
C:\WINDOWS\system32\msftedswc.dll
C:\WINDOWS\system32\mskvtns.dll
C:\WINDOWS\system32\nunqbbrk.dll
C:\WINDOWS\system32\o02PrEz
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\qeffyucs.dll
C:\WINDOWS\system32\rMa01yy
C:\WINDOWS\system32\rMa17yy
C:\WINDOWS\system32\rMa17yy\rMa17yy2314.exe
C:\WINDOWS\system32\T3
C:\WINDOWS\system32\T4
C:\WINDOWS\system32\T6
C:\WINDOWS\system32\ubuijvtk.dll
C:\WINDOWS\system32\win
C:\WINDOWS\system32\yaoehaxh.dll
C:\WINDOWS\system32\ydrloyyy.dll

.

dzboo

22 Posts

December 4th, 2007 02:00

I noticed that my control panel is back and I haven't had any popup warnings lately.  Everything seems to be running smootlhy so far.
 
thanks again!

Bugbatter

20.5K Posts

December 4th, 2007 03:00

You had quite a collection of malware in there.
Please launch HijackThis and place a checkmark next to the following:

O2 - BHO: (no name) - {00BC597C-6DDA-4A28-8C6A-87F81C2749C2} - C:\WINDOWS\system32\cfcggphw.dll (file missing)
O2 - BHO: (no name) - {146315AF-DA48-82E0-1A13-8E8DBA21D5E8} - C:\WINDOWS\system32\spvhlel.dll (file missing)
O2 - BHO: (no name) - {4DA36B1D-B12D-43A1-9ABB-49464EF50FC3} - C:\WINDOWS\system32\vtsqo.dll (file missing)
O2 - BHO: (no name) - {5D0077E3-79F9-4424-B014-F5822BBFD106} - C:\WINDOWS\system32\ddabc.dll (file missing)
O2 - BHO: (no name) - {AA6B75BE-D733-42A8-8B98-709ED8030739} - C:\WINDOWS\system32\vtsqp.dll (file missing)
O2 - BHO: (no name) - {C8E8ECB7-92E6-4536-AAF8-02D7C0B80E13} - C:\WINDOWS\system32\awtqn.dll (file missing)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKCU\..\Run: [Uaol] "C:\PROGRA~1\COMMON~1\YSTEM3~1\wuaclt.exe" -vt yazb
O4 - HKCU\..\Run: [froody] C:\WINDOWS\system32\timoty.exe
O20 - Winlogon Notify: cbxwuts - cbxwuts.dll (file missing)
O20 - Winlogon Notify: efcyxuu - efcyxuu.dll (file missing)
O20 - Winlogon Notify: fccddab - fccddab.dll (file missing)
020 - Winlogon Notify: gebawxv - gebawxv.dll (file missing)
Close all windows except Hijackthis and click "Fix Checked". Close HijackThis.

Open Notepad and copy/paste the following text between the dotted lines into it. Do not copy the dotted lines.
** Make sure you copy/paste ALL the text at once.
----------------------------------------------------------------------------------------------- 

File::
C:\WINDOWS\system32\oknngkbu.ini
C:\WINDOWS\system32\everybodybets.32x32.4.ico
C:\WINDOWS\system32\xwsmdsam.ini
C:\WINDOWS\system32\vmniwjwf.ini
C:\WINDOWS\system32\ecknncap.ini
C:\WINDOWS\system32\kqpcsvsc.ini
C:\WINDOWS\system32\ygunptvn.ini
C:\WINDOWS\system32\uplthxtx.ini
C:\WINDOWS\system32\yvmlcdaf.ini
C:\WINDOWS\system32\jacgghgr.ini
C:\WINDOWS\system32\atyhvcha.ini
C:\WINDOWS\system32\xfniyalc.ini
C:\WINDOWS\system32\uarwsqpt.ini
C:\WINDOWS\system32\dytbaykg.ini
C:\WINDOWS\system32\D577F08366.sys
C:\WINDOWS\system32\timoty.exe


Folder::
C:\WINDOWS\system32\Mz02r
C:\Temp\mZOr
C:\Documents and Settings\David\Application Data\uTorrent


Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00BC597C-6DDA-4A28-8C6A-87F81C2749C2}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{146315AF-DA48-82E0-1A13-8E8DBA21D5E8}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4DA36B1D-B12D-43A1-9ABB-49464EF50FC3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5D0077E3-79F9-4424-B014-F5822BBFD106}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA6B75BE-D733-42A8-8B98-709ED8030739}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C8E8ECB7-92E6-4536-AAF8-02D7C0B80E13}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"froody"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxwuts]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcyxuu]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccddab]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebawxv]

--------------------------------------------------------------------------------------------------------

Save this as CFScript.txt

Photo Sharing and Video Hosting at Photobucket

Referring to the picture above, drag CFScript into ComboFix.exe
You will be prompted to run Combofix again. Follow the same instructions you did before for running ComboFix.
CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

When finished, a log is produced here: C:\ComboFix.txt

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Download and scan each user profile with CCleaner:
http://www.ccleaner.com/download/builds
** Select to download the SLIM version.
1. Before first use, select Options > Advanced and UNCHECK
" Only delete files in Windows Temp folder older than 48 hours"
2. Then select the items you wish to clean up.
In the Windows Tab:
• Clean all entries in the "Internet Explorer" section.
• Clean all the entries in the "Windows Explorer" section.
• Clean all entries in the "System" section.
• Clean all entries in the "Advanced" section.
• Clean any others that you choose.
In the Applications Tab:
• Clean all in the Firefox/Mozilla section if you use it.
• Clean all in the Opera section if you use it.
• Clean Sun Java in the Internet Section.
• Clean any others that you choose.
3. Click the " Run Cleaner" button.
4. A pop up box will appear advising this process will permanently delete files from your system.
5. Click " OK" and it will scan and clean your system.
6. Click " exit" when done.
REBOOT.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. It is possible that you may be running Java code in your applications that absolutely require a specific version of the JRE to run. Please follow these steps to remove older version Java components and update.

Updating Java:

  • Download the latest version of Java Runtime Environment (JRE) 6.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6u3 allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each of the Java versions.

  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.

Official JAVA Installation Instructions if needed.



Please provide the contents of the new ComboFix log in your next reply along with a new HijackThis log, and let me know how things are running.

dzboo

22 Posts

December 4th, 2007 05:00

ComboFix 07-12-02.7 - David 2007-12-03 23:15:19.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.2447 [GMT -8:00]
Running from: C:\Documents and Settings\David\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\David\Desktop\CFScript.txt
 * Created a new restore point

FILE
File::C:\WINDOWS\system32\oknngkbu.iniC:\WINDOWS\system32\everybodybets.32x32.4.icoC:\WINDOWS\system32\xwsmdsam.iniC:\WINDOWS\system32\vmniwjwf.iniC:\WINDOWS\system32\ecknncap.iniC:\WINDOWS\system32\kqpcsvsc.iniC:\WINDOWS\system32\ygunptvn.iniC:\WINDOWS\system32\uplthxtx.iniC:\WINDOWS\system32\yvmlcdaf.iniC:\WINDOWS\system32\jacgghgr.iniC:\WINDOWS\system32\atyhvcha.iniC:\WINDOWS\system32\xfniyalc.iniC:\WINDOWS\system32\uarwsqpt.iniC:\WINDOWS\system32\dytbaykg.iniC:\WINDOWS\system32\D577F08366.sysC:\WINDOWS\system32\timoty.exeFolder::C:\WINDOWS\system32\Mz02rC:\Temp\mZOrC:\Documents and Settings\David\Application Data\uTorrentRegistry::[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00BC597C-6DDA-4A28-8C6A-87F81C2749C2}][-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{146315AF-DA48-82E0-1A13-8E8DBA21D5E8}][-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4DA36B1D-B12D-43A1-9ABB-49464EF50FC3}][-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5D0077E3-79F9-4424-B014-F5822BBFD106}][-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA6B75BE-D733-42A8-8B98-709ED8030739}][-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C8E8ECB7-92E6-4536-AAF8-02D7C0B80E13}][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"froody"=-[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxwuts][-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcyxuu][-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccddab][-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebawxv]
.

(((((((((((((((((((((((((   Files Created from 2007-11-04 to 2007-12-04  )))))))))))))))))))))))))))))))
.

2007-12-03 15:07 . 2007-12-03 15:08   d-------- C:\combofix log
2007-12-01 23:11 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-12-01 23:11 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-12-01 23:11 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-12-01 23:11 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-12-01 23:11 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-12-01 23:11 . 2007-12-02 23:39 4,806 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-29 20:41 . 2007-11-29 20:41   d-------- C:\Program Files\Trend Micro
2007-11-21 20:40 . 2007-11-21 20:40   d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-11-21 20:36 . 2007-11-22 08:44 289,280 --a------ C:\WINDOWS\system32\libcurl.dll
2007-11-21 20:02 . 2007-11-21 20:02   d-------- C:\Documents and Settings\David\Application Data\Grisoft
2007-11-21 19:57 . 2007-11-21 19:57   d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-21 19:57 . 2007-05-30 04:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-20 20:50 . 2007-11-20 20:50   d--h----- C:\WINDOWS\system32\GroupPolicy
2007-11-20 16:41 . 2007-11-20 21:09 689,200 --ahs---- C:\WINDOWS\system32\oknngkbu.ini
2007-11-20 09:32 . 2007-11-20 09:32 4,286 --a------ C:\WINDOWS\system32\everybodybets.32x32.4.ico
2007-11-20 09:18 . 2007-11-20 09:18 2,538 --a------ C:\WINDOWS\system32\ebay.ico
2007-11-18 20:20 . 2007-11-19 09:14 609,543 --ahs---- C:\WINDOWS\system32\xwsmdsam.ini
2007-11-17 20:20 . 2007-11-17 20:20 606,162 --ahs---- C:\WINDOWS\system32\vmniwjwf.ini
2007-11-16 13:33 . 2007-11-17 20:17 606,102 --ahs---- C:\WINDOWS\system32\ecknncap.ini
2007-11-15 13:39 . 2007-11-15 20:49 575,693 --ahs---- C:\WINDOWS\system32\kqpcsvsc.ini
2007-11-14 13:37 . 2007-11-15 13:38 590,306 --ahs---- C:\WINDOWS\system32\ygunptvn.ini
2007-11-13 13:28 . 2007-11-14 13:29 592,248 --ahs---- C:\WINDOWS\system32\uplthxtx.ini
2007-11-12 13:36 . 2007-11-13 13:28 667,372 --ahs---- C:\WINDOWS\system32\yvmlcdaf.ini
2007-11-11 13:27 . 2007-11-12 13:28 591,016 --ahs---- C:\WINDOWS\system32\jacgghgr.ini
2007-11-10 13:28 . 2007-11-11 12:22 584,785 --ahs---- C:\WINDOWS\system32\atyhvcha.ini
2007-11-09 13:31 . 2007-11-09 13:32 584,656 --ahs---- C:\WINDOWS\system32\xfniyalc.ini
2007-11-07 20:17 . 2007-11-09 13:26 584,596 --ahs---- C:\WINDOWS\system32\uarwsqpt.ini
2007-11-06 20:17 . 2007-11-07 02:13 570,004 --ahs---- C:\WINDOWS\system32\dytbaykg.ini
2007-11-06 08:05 . 2007-11-21 21:21   d-------- C:\WINDOWS\system32\Mz02r
2007-11-06 08:05 . 2007-11-06 08:05   d-------- C:\Temp\mZOr

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-03 23:39 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k7
2007-12-03 23:39 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k6
2007-12-03 23:39 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k5
2007-12-03 23:39 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k4
2007-12-03 23:39 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k3
2007-12-03 23:39 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k2
2007-12-03 23:39 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k1
2007-12-03 23:39 116,142 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k0
2007-11-22 08:36 --------- d-----w C:\Program Files\Pinnacle
2007-11-21 23:44 --------- d-----w C:\Program Files\Google
2007-11-21 08:16 --------- d-----w C:\Documents and Settings\nini.BOO\Application Data\AdobeUM
2007-11-20 17:08 --------- d-----w C:\Documents and Settings\David\Application Data\uTorrent
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-09-12 19:24 1,670 ----a-w C:\Documents and Settings\nini.BOO\Application Data\wklnhst.dat
2007-07-13 20:39 3,556 ----a-w C:\Documents and Settings\David\Application Data\wklnhst.dat
2007-02-23 21:43 87,608 ----a-w C:\Documents and Settings\David\Application Data\ezpinst.exe
2007-02-23 21:43 47,360 ----a-w C:\Documents and Settings\David\Application Data\pcouffin.sys
2007-04-16 03:44 88 --sh--r C:\WINDOWS\system32\D577F08366.sys
2007-04-16 03:44 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09]
"LaunchList"="C:\Program Files\Pinnacle\Studio 11\LaunchList2.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 02:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-04 09:28]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"CheckNetworkConnection"="C:\Program Files\Support.com\providerComcast\desktopdoctor.exe" [2006-01-09 15:45]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 11:01]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 20:20 C:\WINDOWS\stsystra.exe]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 04:56]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 18:05]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 07:44]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 07:44]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 02:20]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2005-03-15 01:46]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2005-03-23 15:26]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [2007-03-07 09:58]
"D066UUtility"="C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE" [2000-07-06 19:11]
"dvd43"="C:\Program Files\dvd43\dvd43_tray.exe" [2006-05-22 13:26]
"SMSystemAnalyzer"="C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe" [2007-03-27 08:53]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 00:12]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 08:18]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-08-28 07:39]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2007-06-12 11:32]
"cafwc"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2007-08-27 23:36]
"capfasem"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2007-08-27 23:36]
"capfupgrade"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2007-08-27 23:36]
"QOELOADER"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe" [2007-08-27 23:36]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2006-04-20 12:19:57]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-04-20 12:18:07]
Event Reminder.lnk - C:\Program Files\PrintMaster 16\pmremind.exe [2004-01-20 02:10:40]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
UmxWnp.Dll 2007-05-18 13:30 79368 C:\WINDOWS\system32\UmxWNP.dll

R0 KmxStart;KmxStart;C:\WINDOWS\system32\DRIVERS\kmxstart.sys
R1 KmxAgent;KmxAgent;C:\WINDOWS\system32\DRIVERS\kmxagent.sys
R1 KmxFile;KmxFile;C:\WINDOWS\system32\DRIVERS\KmxFile.sys
R1 KmxFw;KmxFw;C:\WINDOWS\system32\DRIVERS\kmxfw.sys
R2 KmxCF;KmxCF;C:\WINDOWS\system32\DRIVERS\KmxCF.sys
R2 KmxSbx;KmxSbx;C:\WINDOWS\system32\DRIVERS\KmxSbx.sys
R2 UmxAgent;HIPS Event Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe"
R2 UmxCfg;HIPS Configuration Interpreter;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe"
R2 UmxPol;HIPS Policy Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe"
R3 Angel2;Angel II MPEG Device;C:\WINDOWS\system32\DRIVERS\Angel2.sys
R3 KmxCfg;KmxCfg;C:\WINDOWS\system32\DRIVERS\kmxcfg.sys
R3 PPCtlPriv;PPCtlPriv;"C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe"
S3 C-Dilla;C-Dilla;\??\C:\WINDOWS\system32\drivers\CDANT.SYS

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-24 02:28:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-10-29 06:53:26 C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as David at 8 24 PM.job"
- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-03 23:16:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-03 23:17:52
C:\ComboFix2.txt ... 2007-12-03 14:32
.
 --- E O F ---

View More

View All

No Events found!

Top