Antimal problem

dnorng · 2006/10/06

You guys have probably heard of this before. I just need to know how to remove it. I have HJT.. heres my log:

Logfile of HijackThis v1.99.1
Scan saved at 12:50:39 AM, on 10/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\stacsv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ishost.exe
C:\WINDOWS\system32\isnotify.exe
C:\WINDOWS\system32\issearch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\WINDOWS\system32\ismini.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\system32\ixt0.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Safety Bar - {052b12f7-86fa-4921-8482-26c42316b522} - C:\Program Files\Safety Bar\SafetyBar.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe "
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/ZwinkyInitialSetup1.0.0.15.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1156290113109
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159167664765
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/bejeweled2/sis/popcaploader_v6.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winjjq32 - C:\WINDOWS\SYSTEM32\winjjq32.dll
O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - C:\WINDOWS\system32\urroxtl.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\stacsv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

TeMerc · 2006/10/07

Hello and welcome to WindowsBBS Forums.

This looks to be a Vundo infection, so lets run one of the Vundo tools and another file scanner.

Please download VundoFix.exe to your desktop.

Double-click *VundoFix.exe* to run it.

Click the *Scan for Vundo* button.

Once it's done scanning, click the *Remove Vundo* button.

You will receive a prompt asking if you want to remove the files, click *YES*

Once you click yes, your desktop will go blank as it starts removing Vundo.

When completed, it will prompt that it will reboot your computer, click *OK*.

Please post the contents of C:\*vundofix.txt* and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the *Scan for Vundo* button." when
VundoFix appears at reboot

Then:
Download combofix.exe

Double click combofix.exe & follow the prompts.

When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

After those two have scanned, run another HJT log file and post back here please.

Geri · 2006/10/07

Hi dnorng

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter "; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool "; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

Please follow TeMerc's instructions.

Hey Tom
Posted at the same time.

TeMerc · 2006/10/07

Geri is also correct, you do indeed have a SmithFraud infection.

I would like you to please run the Vundo tool first, then the SmithFraud, post those two logs, negating the HJT log, until we see the SmithFraud log.

You can also hold off on ComboFix as well.

Sorry for any confusion.

dnorng · 2006/10/07

I ran vundo twice and it didnt find anything. then ran smitfraud and heres what it said:

SmitFraudFix v2.105

Scan done at 2:33:16.23, Sat 10/07/2006
Run from C:\Documents and Settings\David.DALAPTOP\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\ishost.exe FOUND !
C:\WINDOWS\system32\ismini.exe FOUND !
C:\WINDOWS\system32\isnotify.exe FOUND !
C:\WINDOWS\system32\issearch.exe FOUND !
C:\WINDOWS\system32\ixt?.dll FOUND !
C:\WINDOWS\system32\ixt??.dll FOUND !
C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\ts.ico FOUND !
C:\WINDOWS\system32\components\flx?.dll FOUND !
C:\WINDOWS\system32\components\flx??.dll FOUND !
C:\WINDOWS\system32\components\flx???.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\David.DALAPTOP

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\David.DALAPTOP\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\DAVID~1.DAL\FAVORI~1

C:\DOCUME~1\DAVID~1.DAL\FAVORI~1\Antivirus Test Online.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\Safety Bar\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source "= "About:Home "
"SubscribedURL "= "About:Home "
"FriendlyName "= "My Current Home Page "

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"incestuously "= "{03413bf7-e34c-445b-bfc0-a2b127255871} "

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs "=" "

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

Geri · 2006/10/07

Hi dnorng

OK Lets do this now...

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :

Restart your computer

After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;

Instead of Windows loading as normal, a menu with options should appear;

Select the first option, to run Windows in Safe Mode, then press "Enter ".

Choose your usual account.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ? "; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter ".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

Now Download this and run it following the instruction.

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post the smitfraud txt log, combofix log and a new HJT Log into this thread.

Geri

dnorng · 2006/10/07

Okay did everything as said so here it is

HJT:

Logfile of HijackThis v1.99.1
Scan saved at 12:45:46 PM, on 10/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\stacsv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\system32\ixt0.dll (file missing)
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe "
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/ZwinkyInitialSetup1.0.0.15.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1156290113109
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159167664765
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/bejeweled2/sis/popcaploader_v6.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winjjq32 - C:\WINDOWS\SYSTEM32\winjjq32.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\stacsv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

SmitFraudFix:

SmitFraudFix v2.105

Scan done at 12:31:37.92, Sat 10/07/2006
Run from C:\Documents and Settings\David.DALAPTOP\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"incestuously "= "{03413bf7-e34c-445b-bfc0-a2b127255871} "

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\ishost.exe Deleted
C:\WINDOWS\system32\ismini.exe Deleted
C:\WINDOWS\system32\isnotify.exe Deleted
C:\WINDOWS\system32\issearch.exe Deleted
C:\WINDOWS\system32\ixt?.dll Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\ts.ico Deleted
C:\WINDOWS\system32\components\flx?.dll Deleted
C:\DOCUME~1\DAVID~1.DAL\FAVORI~1\Antivirus Test Online.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted
C:\Program Files\Safety Bar\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

dnorng · 2006/10/07

Sorry it wouldnt let me do it all on one post so heres the other log

ComboFix:

David - 06-10-07 12:43:17.73 Service Pack 2
ComboFix 06.09.28 - Running from: "C:\My Downloads "

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\components

((((((((((((((((((((((((((((((( Files Created from 2006-09-07 to 2006-10-07 ))))))))))))))))))))))))))))))))))

2006-10-04 14:55 15,872 --a------ C:\WINDOWS\system32\winjjq32.dll
2006-10-04 14:53 87 --a------ C:\WINDOWS\system32\sysogg.dll
2006-09-26 00:48 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2006-09-26 00:48 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2006-09-26 00:48 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2006-09-25 18:56 135,168 --a------ C:\WINDOWS\system32\igfxres.dll
2006-09-25 15:02 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
2006-09-24 20:06 223,128 --a------ C:\WINDOWS\system32\drivers\dtscsi.sys
2006-09-24 20:01 96,256 --a------ C:\WINDOWS\system32\drivers\sptd1869.sys
2006-09-24 20:01 643,072 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2006-09-24 00:54 442,368 -ra------ C:\WINDOWS\system32\vp6vfw.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-10-07 02:09 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-10-07 00:50 -------- d-------- C:\Program Files\Hijackthis
2006-10-04 14:52 -------- d-------- C:\Program Files\Ogg Converter
2006-10-01 01:37 -------- d-------- C:\Documents and Settings\David.DALAPTOP\Application Data\AIM
2006-09-27 17:12 -------- d-------- C:\Documents and Settings\David.DALAPTOP\Application Data\Google
2006-09-27 14:03 -------- d-------- C:\Program Files\Google
2006-09-26 23:35 -------- d-------- C:\Documents and Settings\David.DALAPTOP\Application Data\Adobe
2006-09-24 04:00 -------- d-------- C:\Program Files\WinRAR
2006-09-24 03:29 -------- d-------- C:\Program Files\EA GAMES
2006-09-24 02:44 -------- d-------- C:\Program Files\ModTheSims2.com
2006-09-24 00:48 -------- d-------- C:\Program Files\Microsoft Games
2006-09-19 13:14 -------- d---s---- C:\Documents and Settings\David.DALAPTOP\Application Data\Microsoft
2006-09-19 13:09 -------- d-------- C:\Documents and Settings\David.DALAPTOP\Application Data\ZangoToolbar
2006-09-12 15:54 -------- d-------- C:\Documents and Settings\David.DALAPTOP\Application Data\AdobeUM
2006-09-11 23:02 -------- d-------- C:\Program Files\Norton Internet Security
2006-09-10 06:12 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-09-10 06:12 -------- d-------- C:\Program Files\Common Files\Sonic Shared
2006-09-06 11:52 -------- d-------- C:\Documents and Settings\David.DALAPTOP\Application Data\Apple Computer
2006-08-30 02:25 -------- d-------- C:\Program Files\QuickTime
2006-08-29 02:51 -------- d-a------ C:\Program Files\MyWebSearch
2006-08-28 01:21 -------- d-------- C:\Documents and Settings\David.DALAPTOP\Application Data\Sonic
2006-08-28 01:21 -------- d-------- C:\Documents and Settings\David.DALAPTOP\Application Data\Leadertech
2006-08-26 21:48 -------- d-------- C:\Documents and Settings\David.DALAPTOP\Application Data\Macromedia
2006-08-26 00:36 -------- d-------- C:\Program Files\Common Files\Adobe Systems Shared
2006-08-26 00:36 -------- d-------- C:\Program Files\Common Files\Adobe
2006-08-26 00:36 -------- d-------- C:\Program Files\Common Files
2006-08-26 00:35 -------- d-------- C:\Program Files\Adobe
2006-08-26 00:32 -------- d-------- C:\Program Files\WinZip
2006-08-26 00:04 -------- d-------- C:\Program Files\OfficeUpdate11
2006-08-26 00:02 -------- d-------- C:\Program Files\Microsoft Works
2006-08-26 00:02 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-08-25 23:55 -------- d-------- C:\Program Files\Microsoft ActiveSync
2006-08-25 23:55 -------- d-------- C:\Program Files\Common Files\DESIGNER
2006-08-25 23:54 -------- d-------- C:\Program Files\Microsoft Visual Studio
2006-08-25 23:54 -------- d-------- C:\Program Files\Microsoft Office
2006-08-25 23:54 -------- d-------- C:\Program Files\Common Files\System
2006-08-25 23:53 -------- d-------- C:\Program Files\Microsoft.NET
2006-08-25 15:57 -------- d-------- C:\Documents and Settings\David.DALAPTOP\Application Data\Creative
2006-08-24 14:49 -------- d-------- C:\Program Files\Java
2006-08-24 13:37 -------- d-------- C:\Program Files\Winamp
2006-08-24 13:26 -------- d-------- C:\Program Files\LimeWire
2006-08-24 01:54 88 -r-hs---- C:\WINDOWS\system32\EE07051450.sys
2006-08-24 01:54 3766 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2006-08-24 01:53 -------- d-------- C:\Documents and Settings\David.DALAPTOP\Application Data\Corel Photo Album
2006-08-23 02:52 -------- d-------- C:\Program Files\Internet Explorer
2006-08-23 02:21 -------- d-------- C:\Program Files\Windows Media Player
2006-08-23 02:18 -------- d-------- C:\Program Files\Outlook Express
2006-08-23 01:15 -------- d-------- C:\Documents and Settings\David.DALAPTOP\Application Data\acccore
2006-08-23 01:14 -------- d-------- C:\Program Files\AIM
2006-08-23 01:14 -------- d-------- C:\Documents and Settings\David.DALAPTOP\Application Data\AIMPro
2006-08-22 20:02 -------- d-------- C:\Documents and Settings\David.DALAPTOP\Application Data\Real
2006-08-22 19:59 -------- d-------- C:\Program Files\Common Files\xing shared
2006-08-22 19:59 -------- d-------- C:\Program Files\Common Files\Real
2006-08-22 19:32 -------- d-------- C:\Program Files\Symantec
2006-08-22 19:30 -------- d-------- C:\Program Files\Dell Support
2006-08-21 08:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 05:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 05:14 128896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-17 11:31 -------- d-------- C:\Program Files\Dell
2006-08-17 11:29 -------- d-------- C:\Documents and Settings\David.DALAPTOP\Application Data\Symantec
2006-08-17 11:27 -------- d-------- C:\Program Files\SearchAssist
2006-08-17 11:27 -------- d-------- C:\Program Files\BAE
2006-08-17 11:25 10344 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys
2006-08-17 11:23 -------- d-------- C:\Program Files\Sonic
2006-08-17 11:22 -------- d-------- C:\Program Files\Roxio
2006-08-17 11:21 -------- d-------- C:\Program Files\Corel Corporation
2006-08-17 11:21 -------- d-------- C:\Program Files\Corel
2006-08-17 11:21 -------- d-------- C:\Program Files\Common Files\Corel
2006-08-17 11:19 -------- d-------- C:\Program Files\MUSICMATCH
2006-08-17 11:18 -------- d--h----- C:\Documents and Settings\David.DALAPTOP\Application Data\Gtek
2006-08-17 11:18 -------- d-------- C:\Program Files\WildTangent
2006-08-17 11:18 -------- d-------- C:\Program Files\WebCyberCoach
2006-08-17 11:17 -------- d-------- C:\Program Files\WordPerfect Office 12
2006-08-17 11:17 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-08-17 11:17 -------- d-------- C:\Program Files\Common Files\Borland Shared
2006-08-17 11:16 8552 --a------ C:\WINDOWS\system32\drivers\asctrm.sys
2006-08-17 11:16 -------- d-------- C:\Program Files\Viewpoint
2006-08-17 11:16 -------- d-------- C:\Program Files\Real
2006-08-17 11:16 -------- d-------- C:\Program Files\Learn2.com
2006-08-17 11:16 -------- d-------- C:\Program Files\EarthLink Setup
2006-08-17 11:16 -------- d-------- C:\Program Files\Common Files\Nullsoft
2006-08-17 11:16 -------- d-------- C:\Program Files\Common Files\aolshare
2006-08-17 11:16 -------- d-------- C:\Program Files\AOL Companion
2006-08-17 11:16 -------- d-------- C:\Program Files\America Online 9.0
2006-08-17 11:15 -------- d-------- C:\Program Files\Microsoft Plus! Photo Story 2 LE
2006-08-17 11:15 -------- d-------- C:\Program Files\Microsoft Plus! Digital Media Edition
2006-08-17 11:15 -------- d-------- C:\Program Files\Common Files\AOL
2006-08-17 11:14 -------- d-------- C:\Program Files\NetZeroInstallers
2006-08-17 11:11 -------- d-------- C:\Program Files\Creative
2006-08-17 11:10 32 --a------ C:\WINDOWS\system32\mes2046.dll
2006-08-17 11:10 -------- d-------- C:\Program Files\Common Files\Creative Labs Shared
2006-08-17 11:09 -------- d-------- C:\Program Files\NetWaiting
2006-08-17 11:09 -------- d-------- C:\Program Files\Modem Helper
2006-08-17 11:09 -------- d-------- C:\Program Files\InterActual
2006-08-17 11:09 -------- d-------- C:\Program Files\Digital Line Detect
2006-08-17 11:09 -------- d-------- C:\Program Files\Broadcom
2006-08-17 11:08 -------- d-------- C:\Program Files\Common Files\Roxio Shared
2006-08-17 11:06 -------- d-------- C:\Program Files\Sigmatel
2006-08-17 11:06 -------- d-------- C:\Program Files\CONEXANT
2006-08-17 11:05 -------- d-------- C:\Program Files\Intel, Inc
2006-08-17 11:05 -------- d-------- C:\Documents and Settings\David.DALAPTOP\Application Data\Intel
2006-08-17 11:04 21275 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2006-08-17 11:04 -------- d-------- C:\Program Files\Intel
2006-08-17 11:02 -------- d-------- C:\Program Files\Messenger
2006-08-17 11:01 -------- d-------- C:\Program Files\Common Files\Java
2006-08-17 11:01 -------- d-------- C:\Documents and Settings\David.DALAPTOP\Application Data\Sun
2006-08-17 10:48 -------- d-------- C:\Program Files\Synaptics
2006-08-07 17:02 534208 --a------ C:\WINDOWS\system32\SymNeti.dll
2006-08-07 17:02 31936 --a------ C:\WINDOWS\system32\drivers\symids.sys
2006-08-07 17:02 28352 --a------ C:\WINDOWS\system32\drivers\symndis.sys
2006-08-07 17:02 24768 --a------ C:\WINDOWS\system32\drivers\symredrv.sys
2006-08-07 17:02 195776 --a------ C:\WINDOWS\system32\drivers\symtdi.sys
2006-08-07 17:02 161472 --a------ C:\WINDOWS\system32\SymRedir.dll
2006-08-07 17:02 110784 --a------ C:\WINDOWS\system32\drivers\symfw.sys
2006-08-07 17:01 12992 --a------ C:\WINDOWS\system32\drivers\symdns.sys
2006-07-27 09:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 04:24 72704 --a------ C:\WINDOWS\system32\hlink.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\\WINDOWS\\system32\\ctfmon.exe "
"MSMSGS "= "\ "C:\\Program Files\\Messenger\\msmsgs.exe\" /background "
"swg "= "C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.0.720.3640\\GoogleToolbarNotifier.exe "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp "= "\ "C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\" "
"IntelZeroConfig "= "\ "C:\\Program Files\\Intel\\Wireless\\bin\\ZCfgSvc.exe\" "
"IntelWireless "= "\ "C:\\Program Files\\Intel\\Wireless\\Bin\\ifrmewrk.exe\" /tf Intel PROSet/Wireless "
"QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
"ISUSPM Startup "= "\ "C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\ISUSPM.exe\" -startup "
"TkBellExe "= "\ "C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed "= "1 "
"NoChange "= "1 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000005
"Settings "=dword:00000001
"GeneralFlags "=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername "=dword:00000000
"legalnoticecaption "=" "
"legalnoticetext "=" "
"shutdownwithoutlogon "=dword:00000001
"undockwithoutlogon "=dword:00000001
"InstallVisualStyle "=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme "=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder "= "{7849596a-48ea-486e-8937-a2a3009f31a9} "
"CDBurn "= "{fbeb8a05-beee-4442-804e-409d6c4515e9} "
"WebCheck "= "{E6FB5E20-DE35-11CF-9C87-00AA005127ED} "
"SysTray "= "{35CEC8A3-2BE6-11D2-8773-92E220524153} "
"UPnPMonitor "= "{e57ce738-33e8-4c51-8354-bb4de9d215d1} "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
"path "= "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Gamma Loader.lnk "
"backup "= "C:\\WINDOWS\\pss\\Adobe Gamma Loader.lnkCommon Startup "
"location "= "Common Startup "
"command "= "C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item "= "Adobe Gamma Loader "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
"path "= "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Digital Line Detect.lnk "
"backup "= "C:\\WINDOWS\\pss\\Digital Line Detect.lnkCommon Startup "
"location "= "Common Startup "
"command "= "C:\\PROGRA~1\\DIGITA~1\\DLG.exe "
"item "= "Digital Line Detect "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "=" "
"hkey "= "HKLM "
"command "=" "
"inimapping "= "0 "

dnorng · 2006/10/07

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Creative Detector]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "CTDetect "
"hkey "= "HKCU "
"command "= "\ "C:\\Program Files\\Creative\\MediaSource\\Detector\\CTDetect.exe\" /R "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ctfmon.exe]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "ctfmon "
"hkey "= "HKCU "
"command "= "C:\\WINDOWS\\system32\\ctfmon.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\CTSysVol]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "CTSysVol "
"hkey "= "HKLM "
"command "= "C:\\Program Files\\Creative\\SBAudigy\\Surround Mixer\\CTSysVol.exe /r "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\DLA]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "DLACTRLW "
"hkey "= "HKLM "
"command "= "C:\\WINDOWS\\System32\\DLA\\DLACTRLW.EXE "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\DMXLauncher]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "DMXLauncher "
"hkey "= "HKLM "
"command "= "C:\\Program Files\\Dell\\Media Experience\\DMXLauncher.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ehTray]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "ehtray "
"hkey "= "HKLM "
"command "= "C:\\WINDOWS\\ehome\\ehtray.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\googletalk]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "googletalk "
"hkey "= "HKCU "
"command "= "\ "C:\\Program Files\\Google\\Google Talk\\googletalk.exe\" /autostart "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\igfxhkcmd]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "hkcmd "
"hkey "= "HKLM "
"command "= "C:\\WINDOWS\\system32\\hkcmd.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\igfxpers]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "igfxpers "
"hkey "= "HKLM "
"command "= "C:\\WINDOWS\\system32\\igfxpers.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\igfxtray]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "igfxtray "
"hkey "= "HKLM "
"command "= "C:\\WINDOWS\\system32\\igfxtray.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ISUSPM Startup]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "isuspm "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\isuspm.exe\" -startup "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ISUSScheduler]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "issch "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MBMon]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "Rundll32 CTMBHA "
"hkey "= "HKLM "
"command "= "Rundll32 CTMBHA.DLL,MBMon "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MSMSGS]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "msmsgs "
"hkey "= "HKCU "
"command "= "\ "C:\\Program Files\\Messenger\\msmsgs.exe\" /background "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\QuickTime Task]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "qttask "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SetDefaultMIDI]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "MIDIDef "
"hkey "= "HKCU "
"command "= "MIDIDef.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SigmatelSysTrayApp]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "stsystra "
"hkey "= "HKLM "
"command "= "stsystra.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SunJavaUpdateSched]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "jusched "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\Java\\jre1.5.0_08\\bin\\jusched.exe\" "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SynTPEnh]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "SynTPEnh "
"hkey "= "HKLM "
"command "= "C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\TkBellExe]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "realsched "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\UpdReg]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "UpdReg "
"hkey "= "HKLM "
"command "= "C:\\WINDOWS\\UpdReg.EXE "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\VoiceCenter]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "AndreaVC "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\Creative\\VoiceCenter\\AndreaVC.exe\" /tray "
"inimapping "= "0 "

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winjjq32

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - David.job

Completion time: Sat 10/07/2006 12:44:00.92
ComboFix.txt

Geri · 2006/10/07

Hi dnorng

OK, Lets rename the "HijackThis.exe" to something else, like killfile.exe or anything of your liking and run HJT again and post a new log.

Some infections are starting to hide themselves from HJT.

Thanks
Geri

dnorng · 2006/10/07

here it is

Logfile of HijackThis v1.99.1
Scan saved at 3:16:10 PM, on 10/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\stacsv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijackthis\killfile.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\system32\ixt0.dll (file missing)
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe "
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/ZwinkyInitialSetup1.0.0.15.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1156290113109
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159167664765
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/bejeweled2/sis/popcaploader_v6.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winjjq32 - C:\WINDOWS\SYSTEM32\winjjq32.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\stacsv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

Geri · 2006/10/07

OK

I can not find any information on a file so we need to run a scan on it.

Please do this..

Jotti File Submission:

Please go to Jotti's malware scan

Copy and paste the following file path into the "File to upload & scan "box on the top of the page:

C:\WINDOWS\SYSTEM32\winjjq32.dll

Click on the submit button

Please post the results in your next reply.

This site is sometimes very busy so give it time.

Geri

dnorng · 2006/10/07

Service load: 0% 100%

File: winjjq32.dll
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 9e72c0d269d575a295c187a55f75c1b5
Packers detected: PE_PATCH.PECOMPACT, PECBUNDLE, PECOMPACT

Scanner results
AntiVir Found Trojan/PCK.Klone.G.64
ArcaVir Found Trojan.Packed.Klone.G
Avast Found Win32:Klone-N
AVG Antivirus Found Generic2.DEV
BitDefender Found Trojan.Klone.H
ClamAV Found nothing
Dr.Web Found Trojan.Mezzia
F-Prot Antivirus Found nothing
Fortinet Found W32/BDoor.G!tr.bdr
Kaspersky Anti-Virus Found Packed.Win32.Klone.g
NOD32 Found Win32/Zapchast
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found Trojan.Mezzia

Geri · 2006/10/07

OK Very good.

Please do the following. Making sure you set up AVG Anti-Spyware as instructed.

First download AVG Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program

Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.

Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.

On the main screen select the icon "Update" then select the "Update now" link.

Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.

Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.

Once in the Settings screen click on "Recommended actions" and then select "Quarantine ".

Under "Reports "

Select "Automatically generate report after every scan "

Un-Select "Only if threats were found "

Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.

Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:

Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.

Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan ".

AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:

If you have any infections you will prompted, then select "Apply all actions "

Next select the "Reports" icon at the top.

Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).

Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\system32\ixt0.dll (file missing)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...up1.0.0.15.cab
O20 - Winlogon Notify: winjjq32 - C:\WINDOWS\SYSTEM32\winjjq32.dll

Now close all windows other than HiJackThis, then click Fix Checked.

Close HJT.

Reboot into safe mode.
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Using Windows Explorer (to get there right-click your Start button and go to "Explore "), please delete these files (if present):

C:\WINDOWS\SYSTEM32\winjjq32.dll
C:\WINDOWS\system32\ixt0.dll

After that, Reboot.

Please post the AVG Anti-Spyware report scan and a New HJT Log into this Thread.

Geri

Geri · 2006/10/07

I need to run a few errands.
I'll check the logs when I get back

Geri

dnorng · 2006/10/07

okay did everything you said but ran into a little something. When i went to delete c:\windows\system32\winjjq32.dll it wouldn't let me saying it was protected. but heres the reports

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 5:43:39 PM 10/7/2006

+ Scan result:

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP15\A0002785.DLL -> Adware.FunWeb : Cleaned with backup (quarantined).
HKU\S-1-5-21-533688110-1303652809-2757876593-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{052B12F7-86FA-4921-8482-26C42316B522} -> Adware.Generic : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP15\A0002827.DLL -> Adware.IWon : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP15\A0002840.EXE -> Adware.MyWebSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP15\A0002815.DLL -> Downloader.IstBar : Cleaned with backup (quarantined).
C:\Program Files\DIGStream\digstream.exe -> Not-A-Virus.Downloader.Win32.DigStream : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : Cleaned with backup (quarantined).
C:\Documents and Settings\David.DALAPTOP\Local Settings\Temporary Internet Files\Content.IE5\EN67IDYJ\WinAntiVirusPro2006FreeInstall[1].cab/UWA6P_0001_N91M1807NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP51\A0018726.dll -> Not-A-Virus.Hoax.Win32.Renos.ds : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP51\A0018768.dll -> Not-A-Virus.Hoax.Win32.Renos.ds : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP51\A0018721.dll -> Not-A-Virus.Hoax.Win32.Renos.fh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP51\A0018732.dll -> Not-A-Virus.Hoax.Win32.Renos.fh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP51\A0018745.dll -> Not-A-Virus.Hoax.Win32.Renos.fh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP51\A0018755.dll -> Not-A-Virus.Hoax.Win32.Renos.fh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP51\A0018765.dll -> Not-A-Virus.Hoax.Win32.Renos.fh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP51\A0018769.dll -> Not-A-Virus.Hoax.Win32.Renos.fh : Cleaned with backup (quarantined).
C:\Documents and Settings\David.DALAPTOP\Cookies\david@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\David.DALAPTOP\Cookies\david@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\David.DALAPTOP\Cookies\david@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\David.DALAPTOP\Cookies\david@adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\David.DALAPTOP\Cookies\david@advertising[1].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\David.DALAPTOP\Cookies\david@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\David.DALAPTOP\Cookies\david@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\David.DALAPTOP\Cookies\david@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\David.DALAPTOP\Cookies\david@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\David.DALAPTOP\Cookies\david@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\David.DALAPTOP\Cookies\david@ehg-dig.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\David.DALAPTOP\Cookies\david@ehg-ripedigitalentertainment.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\David.DALAPTOP\Cookies\david@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\David.DALAPTOP\Cookies\david@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\David.DALAPTOP\Cookies\david@overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\David.DALAPTOP\Cookies\david@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\David.DALAPTOP\Cookies\david@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\David.DALAPTOP\Cookies\david@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned.
C:\Documents and Settings\David.DALAPTOP\Cookies\david@counter8.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned.
C:\Documents and Settings\David.DALAPTOP\Cookies\david@sextracker[2].txt -> TrackingCookie.Sextracker : Cleaned.
C:\Documents and Settings\David.DALAPTOP\Cookies\david@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\David.DALAPTOP\Cookies\david@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\David.DALAPTOP\Cookies\david@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\David.DALAPTOP\Cookies\david@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\David.DALAPTOP\Cookies\david@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\David.DALAPTOP\Cookies\david@statse.webtrendslive[1].txt -> TrackingCookie.Webtrendslive : Cleaned.
C:\Documents and Settings\David.DALAPTOP\Cookies\david@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\David.DALAPTOP\Cookies\david@zedo[2].txt -> TrackingCookie.Zedo : Cleaned.

::Report end

HJT

Logfile of HijackThis v1.99.1
Scan saved at 6:01:42 PM, on 10/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\stacsv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Hijackthis\killfile.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe "
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1156290113109
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159167664765
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/bejeweled2/sis/popcaploader_v6.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winjjq32 - C:\WINDOWS\SYSTEM32\winjjq32.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\stacsv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

Geri · 2006/10/07

Hi

OK Lets get a little tougher with it

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.

Save it to your desktop.

Please double-click Killbox.exe to run it.

Select:

Delete on Reboot

then Click on the All Files button.

Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\SYSTEM32\winjjq32.dll
C:\WINDOWS\system32\EE07051450.sys
C:\WINDOWS\system32\KGyGaAvL.sys
C:\WINDOWS\system32\mes2046.dll

Return to Killbox, go to the File menu, and choose Paste from Clipboard.

Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Reboot into safe mode.
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

ZangoToolbar
MyWebSearch
WildTangent
Viewpoint or viewpoint manager
LimeWire <<<P2P file sharing is a excellent way to become infected. I would suggest you remove this. WildTangent is also known for adware.

Please note any other programs that you don't recognize in that list in your next response

Using Windows Explorer (to get there right-click your Start button and go to "Explore "), please delete these folders (if present):

C:\Program Files\MyWebSearch
C:\Program Files\WildTangent
C:\Program Files\Viewpoint
C:\Program Files\LimeWire

Please reboot and post a new combofix log and hjt log.

Geri

dnorng · 2006/10/07

Logfile of HijackThis v1.99.1
Scan saved at 9:32:39 PM, on 10/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\stacsv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijackthis\killfile.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe "
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1156290113109
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159167664765
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/bejeweled2/sis/popcaploader_v6.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winjjq32 - winjjq32.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\stacsv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

dnorng · 2006/10/07

David - 06-10-07 21:30:32.39 Service Pack 2
ComboFix 06.09.28 - Running from: "C:\My Downloads "

((((((((((((((((((((((((((((((( Files Created from 2006-09-07 to 2006-10-07 ))))))))))))))))))))))))))))))))))

2006-10-07 16:01 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-10-04 14:53 87 --a------ C:\WINDOWS\system32\sysogg.dll
2006-09-26 00:48 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2006-09-26 00:48 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2006-09-26 00:48 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2006-09-25 18:56 135,168 --a------ C:\WINDOWS\system32\igfxres.dll
2006-09-25 15:02 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
2006-09-24 20:06 223,128 --a------ C:\WINDOWS\system32\drivers\dtscsi.sys
2006-09-24 20:01 96,256 --a------ C:\WINDOWS\system32\drivers\sptd1869.sys
2006-09-24 20:01 643,072 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2006-09-24 00:54 442,368 -ra------ C:\WINDOWS\system32\vp6vfw.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-10-07 18:45 -------- d-------- C:\Documents and Settings\David.DALAPTOP\Application Data\Adobe
2006-10-07 18:01 -------- d-------- C:\Program Files\Hijackthis
2006-10-07 16:01 -------- d-------- C:\Program Files\Grisoft
2006-10-07 16:01 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-10-04 14:52 -------- d-------- C:\Program Files\Ogg Converter
2006-10-01 01:37 -------- d-------- C:\Documents and Settings\David.DALAPTOP\Application Data\AIM
2006-09-27 17:12 -------- d-------- C:\Documents and Settings\David.DALAPTOP\Application Data\Google
2006-09-27 14:03 -------- d-------- C:\Program Files\Google
2006-09-24 04:00 -------- d-------- C:\Program Files\WinRAR
2006-09-24 03:29 -------- d-------- C:\Program Files\EA GAMES
2006-09-24 02:44 -------- d-------- C:\Program Files\ModTheSims2.com
2006-09-24 00:48 -------- d-------- C:\Program Files\Microsoft Games
2006-09-19 13:14 -------- d---s---- C:\Documents and Settings\David.DALAPTOP\Application Data\Microsoft
2006-09-19 13:09 -------- d-------- C:\Documents and Settings\David.DALAPTOP\Application Data\ZangoToolbar
2006-09-12 15:54 -------- d-------- C:\Documents and Settings\David.DALAPTOP\Application Data\AdobeUM
2006-09-11 23:02 -------- d-------- C:\Program Files\Norton Internet Security
2006-09-10 06:12 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-09-10 06:12 -------- d-------- C:\Program Files\Common Files\Sonic Shared
2006-09-06 11:52 -------- d-------- C:\Documents and Settings\David.DALAPTOP\Application Data\Apple Computer
2006-08-30 02:25 -------- d-------- C:\Program Files\QuickTime
2006-08-28 01:21 -------- d-------- C:\Documents and Settings\David.DALAPTOP\Application Data\Sonic
2006-08-28 01:21 -------- d-------- C:\Documents and Settings\David.DALAPTOP\Application Data\Leadertech
2006-08-26 21:48 -------- d-------- C:\Documents and Settings\David.DALAPTOP\Application Data\Macromedia
2006-08-26 00:36 -------- d-------- C:\Program Files\Common Files\Adobe Systems Shared
2006-08-26 00:36 -------- d-------- C:\Program Files\Common Files\Adobe
2006-08-26 00:36 -------- d-------- C:\Program Files\Common Files
2006-08-26 00:35 -------- d-------- C:\Program Files\Adobe
2006-08-26 00:32 -------- d-------- C:\Program Files\WinZip
2006-08-26 00:04 -------- d-------- C:\Program Files\OfficeUpdate11
2006-08-26 00:02 -------- d-------- C:\Program Files\Microsoft Works
2006-08-26 00:02 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-08-25 23:55 -------- d-------- C:\Program Files\Microsoft ActiveSync
2006-08-25 23:55 -------- d-------- C:\Program Files\Common Files\DESIGNER
2006-08-25 23:54 -------- d-------- C:\Program Files\Microsoft Visual Studio
2006-08-25 23:54 -------- d-------- C:\Program Files\Microsoft Office
2006-08-25 23:54 -------- d-------- C:\Program Files\Common Files\System
2006-08-25 23:53 -------- d-------- C:\Program Files\Microsoft.NET
2006-08-25 15:57 -------- d-------- C:\Documents and Settings\David.DALAPTOP\Application Data\Creative
2006-08-24 14:49 -------- d-------- C:\Program Files\Java
2006-08-24 13:37 -------- d-------- C:\Program Files\Winamp
2006-08-24 01:53 -------- d-------- C:\Documents and Settings\David.DALAPTOP\Application Data\Corel Photo Album
2006-08-23 02:52 -------- d-------- C:\Program Files\Internet Explorer
2006-08-23 02:21 -------- d-------- C:\Program Files\Windows Media Player
2006-08-23 02:18 -------- d-------- C:\Program Files\Outlook Express
2006-08-23 01:15 -------- d-------- C:\Documents and Settings\David.DALAPTOP\Application Data\acccore
2006-08-23 01:14 -------- d-------- C:\Program Files\AIM
2006-08-23 01:14 -------- d-------- C:\Documents and Settings\David.DALAPTOP\Application Data\AIMPro
2006-08-22 20:02 -------- d-------- C:\Documents and Settings\David.DALAPTOP\Application Data\Real
2006-08-22 19:59 -------- d-------- C:\Program Files\Common Files\xing shared
2006-08-22 19:59 -------- d-------- C:\Program Files\Common Files\Real
2006-08-22 19:32 -------- d-------- C:\Program Files\Symantec
2006-08-22 19:30 -------- d-------- C:\Program Files\Dell Support
2006-08-21 08:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 05:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 05:14 128896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-17 11:31 -------- d-------- C:\Program Files\Dell
2006-08-17 11:29 -------- d-------- C:\Documents and Settings\David.DALAPTOP\Application Data\Symantec
2006-08-17 11:27 -------- d-------- C:\Program Files\BAE
2006-08-17 11:25 10344 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys
2006-08-17 11:23 -------- d-------- C:\Program Files\Sonic
2006-08-17 11:22 -------- d-------- C:\Program Files\Roxio
2006-08-17 11:21 -------- d-------- C:\Program Files\Corel Corporation
2006-08-17 11:21 -------- d-------- C:\Program Files\Corel
2006-08-17 11:21 -------- d-------- C:\Program Files\Common Files\Corel
2006-08-17 11:19 -------- d-------- C:\Program Files\MUSICMATCH
2006-08-17 11:18 -------- d--h----- C:\Documents and Settings\David.DALAPTOP\Application Data\Gtek
2006-08-17 11:18 -------- d-------- C:\Program Files\WebCyberCoach
2006-08-17 11:17 -------- d-------- C:\Program Files\WordPerfect Office 12
2006-08-17 11:17 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-08-17 11:17 -------- d-------- C:\Program Files\Common Files\Borland Shared
2006-08-17 11:16 8552 --a------ C:\WINDOWS\system32\drivers\asctrm.sys
2006-08-17 11:16 -------- d-------- C:\Program Files\Real
2006-08-17 11:16 -------- d-------- C:\Program Files\Learn2.com
2006-08-17 11:16 -------- d-------- C:\Program Files\EarthLink Setup
2006-08-17 11:16 -------- d-------- C:\Program Files\Common Files\Nullsoft
2006-08-17 11:16 -------- d-------- C:\Program Files\Common Files\aolshare
2006-08-17 11:16 -------- d-------- C:\Program Files\AOL Companion
2006-08-17 11:16 -------- d-------- C:\Program Files\America Online 9.0
2006-08-17 11:15 -------- d-------- C:\Program Files\Microsoft Plus! Photo Story 2 LE
2006-08-17 11:15 -------- d-------- C:\Program Files\Microsoft Plus! Digital Media Edition
2006-08-17 11:15 -------- d-------- C:\Program Files\Common Files\AOL
2006-08-17 11:14 -------- d-------- C:\Program Files\NetZeroInstallers
2006-08-17 11:11 -------- d-------- C:\Program Files\Creative
2006-08-17 11:10 -------- d-------- C:\Program Files\Common Files\Creative Labs Shared
2006-08-17 11:09 -------- d-------- C:\Program Files\NetWaiting
2006-08-17 11:09 -------- d-------- C:\Program Files\Modem Helper
2006-08-17 11:09 -------- d-------- C:\Program Files\InterActual
2006-08-17 11:09 -------- d-------- C:\Program Files\Digital Line Detect
2006-08-17 11:09 -------- d-------- C:\Program Files\Broadcom
2006-08-17 11:08 -------- d-------- C:\Program Files\Common Files\Roxio Shared
2006-08-17 11:06 -------- d-------- C:\Program Files\Sigmatel
2006-08-17 11:06 -------- d-------- C:\Program Files\CONEXANT
2006-08-17 11:05 -------- d-------- C:\Program Files\Intel, Inc
2006-08-17 11:05 -------- d-------- C:\Documents and Settings\David.DALAPTOP\Application Data\Intel
2006-08-17 11:04 21275 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2006-08-17 11:04 -------- d-------- C:\Program Files\Intel
2006-08-17 11:02 -------- d-------- C:\Program Files\Messenger
2006-08-17 11:01 -------- d-------- C:\Program Files\Common Files\Java
2006-08-17 11:01 -------- d-------- C:\Documents and Settings\David.DALAPTOP\Application Data\Sun
2006-08-17 10:48 -------- d-------- C:\Program Files\Synaptics
2006-08-07 17:02 534208 --a------ C:\WINDOWS\system32\SymNeti.dll
2006-08-07 17:02 31936 --a------ C:\WINDOWS\system32\drivers\symids.sys
2006-08-07 17:02 28352 --a------ C:\WINDOWS\system32\drivers\symndis.sys
2006-08-07 17:02 24768 --a------ C:\WINDOWS\system32\drivers\symredrv.sys
2006-08-07 17:02 195776 --a------ C:\WINDOWS\system32\drivers\symtdi.sys
2006-08-07 17:02 161472 --a------ C:\WINDOWS\system32\SymRedir.dll
2006-08-07 17:02 110784 --a------ C:\WINDOWS\system32\drivers\symfw.sys
2006-08-07 17:01 12992 --a------ C:\WINDOWS\system32\drivers\symdns.sys
2006-07-27 09:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 04:24 72704 --a------ C:\WINDOWS\system32\hlink.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\\WINDOWS\\system32\\ctfmon.exe "
"MSMSGS "= "\ "C:\\Program Files\\Messenger\\msmsgs.exe\" /background "
"swg "= "C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.0.720.3640\\GoogleToolbarNotifier.exe "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp "= "\ "C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\" "
"IntelZeroConfig "= "\ "C:\\Program Files\\Intel\\Wireless\\bin\\ZCfgSvc.exe\" "
"IntelWireless "= "\ "C:\\Program Files\\Intel\\Wireless\\Bin\\ifrmewrk.exe\" /tf Intel PROSet/Wireless "
"QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
"ISUSPM Startup "= "\ "C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\ISUSPM.exe\" -startup "
"TkBellExe "= "\ "C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot "
"!AVG Anti-Spyware "= "\ "C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed "= "1 "
"NoChange "= "1 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000005
"Settings "=dword:00000001
"GeneralFlags "=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "AVG Anti-Spyware 7.5 "

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername "=dword:00000000
"legalnoticecaption "=" "
"legalnoticetext "=" "
"shutdownwithoutlogon "=dword:00000001
"undockwithoutlogon "=dword:00000001
"InstallVisualStyle "=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme "=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder "= "{7849596a-48ea-486e-8937-a2a3009f31a9} "
"CDBurn "= "{fbeb8a05-beee-4442-804e-409d6c4515e9} "
"WebCheck "= "{E6FB5E20-DE35-11CF-9C87-00AA005127ED} "
"SysTray "= "{35CEC8A3-2BE6-11D2-8773-92E220524153} "
"UPnPMonitor "= "{e57ce738-33e8-4c51-8354-bb4de9d215d1} "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
"path "= "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Gamma Loader.lnk "
"backup "= "C:\\WINDOWS\\pss\\Adobe Gamma Loader.lnkCommon Startup "
"location "= "Common Startup "
"command "= "C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item "= "Adobe Gamma Loader "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
"path "= "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Digital Line Detect.lnk "
"backup "= "C:\\WINDOWS\\pss\\Digital Line Detect.lnkCommon Startup "
"location "= "Common Startup "
"command "= "C:\\PROGRA~1\\DIGITA~1\\DLG.exe "
"item "= "Digital Line Detect "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "=" "
"hkey "= "HKLM "
"command "=" "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Creative Detector]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "CTDetect "
"hkey "= "HKCU "
"command "= "\ "C:\\Program Files\\Creative\\MediaSource\\Detector\\CTDetect.exe\" /R "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ctfmon.exe]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "ctfmon "
"hkey "= "HKCU "
"command "= "C:\\WINDOWS\\system32\\ctfmon.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\CTSysVol]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "CTSysVol "
"hkey "= "HKLM "
"command "= "C:\\Program Files\\Creative\\SBAudigy\\Surround Mixer\\CTSysVol.exe /r "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\DLA]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "DLACTRLW "
"hkey "= "HKLM "
"command "= "C:\\WINDOWS\\System32\\DLA\\DLACTRLW.EXE "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\DMXLauncher]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "DMXLauncher "
"hkey "= "HKLM "
"command "= "C:\\Program Files\\Dell\\Media Experience\\DMXLauncher.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ehTray]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "ehtray "
"hkey "= "HKLM "
"command "= "C:\\WINDOWS\\ehome\\ehtray.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\googletalk]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "googletalk "
"hkey "= "HKCU "
"command "= "\ "C:\\Program Files\\Google\\Google Talk\\googletalk.exe\" /autostart "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\igfxhkcmd]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "hkcmd "
"hkey "= "HKLM "
"command "= "C:\\WINDOWS\\system32\\hkcmd.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\igfxpers]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "igfxpers "
"hkey "= "HKLM "
"command "= "C:\\WINDOWS\\system32\\igfxpers.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\igfxtray]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "igfxtray "
"hkey "= "HKLM "
"command "= "C:\\WINDOWS\\system32\\igfxtray.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ISUSPM Startup]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "isuspm "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\isuspm.exe\" -startup "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ISUSScheduler]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "issch "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MBMon]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "Rundll32 CTMBHA "
"hkey "= "HKLM "
"command "= "Rundll32 CTMBHA.DLL,MBMon "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MSMSGS]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "msmsgs "
"hkey "= "HKCU "
"command "= "\ "C:\\Program Files\\Messenger\\msmsgs.exe\" /background "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\QuickTime Task]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "qttask "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SetDefaultMIDI]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "MIDIDef "
"hkey "= "HKCU "
"command "= "MIDIDef.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SigmatelSysTrayApp]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "stsystra "
"hkey "= "HKLM "
"command "= "stsystra.exe "
"inimapping "= "0 "

dnorng · 2006/10/07

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SunJavaUpdateSched]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "jusched "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\Java\\jre1.5.0_08\\bin\\jusched.exe\" "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SynTPEnh]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "SynTPEnh "
"hkey "= "HKLM "
"command "= "C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\TkBellExe]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "realsched "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\UpdReg]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "UpdReg "
"hkey "= "HKLM "
"command "= "C:\\WINDOWS\\UpdReg.EXE "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\VoiceCenter]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "AndreaVC "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\Creative\\VoiceCenter\\AndreaVC.exe\" /tray "
"inimapping "= "0 "

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winjjq32

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - David.job

Completion time: Sat 10/07/2006 21:31:59.12
ComboFix.txt
ComboFix2.txt

Log in or Sign up

Antimal problem

dnorng Inactive Thread Starter

TeMerc Inactive Alumni

Geri Inactive Alumni

TeMerc Inactive Alumni

dnorng Inactive Thread Starter

Geri Inactive Alumni

dnorng Inactive Thread Starter

dnorng Inactive Thread Starter

dnorng Inactive Thread Starter

Geri Inactive Alumni

dnorng Inactive Thread Starter

Geri Inactive Alumni

dnorng Inactive Thread Starter

Geri Inactive Alumni

Geri Inactive Alumni

dnorng Inactive Thread Starter

Geri Inactive Alumni

dnorng Inactive Thread Starter

dnorng Inactive Thread Starter

dnorng Inactive Thread Starter

Share This Page

Log in or Sign up

Antimal problem

dnorng Inactive Thread Starter

TeMerc Inactive Alumni

Geri Inactive Alumni

TeMerc Inactive Alumni

dnorng Inactive Thread Starter

Geri Inactive Alumni

dnorng Inactive Thread Starter

dnorng Inactive Thread Starter

dnorng Inactive Thread Starter

Geri Inactive Alumni

dnorng Inactive Thread Starter

Geri Inactive Alumni

dnorng Inactive Thread Starter

Geri Inactive Alumni

Geri Inactive Alumni

dnorng Inactive Thread Starter

Geri Inactive Alumni

dnorng Inactive Thread Starter

dnorng Inactive Thread Starter

dnorng Inactive Thread Starter

Share This Page

Useful Searches