Solved Help with Troj/Bckdr-QJL virus

ktongg · 2007/09/16

[Resolved] Help with Troj/Bckdr-QJL virus

I was reading your recent thread with Drewp2 and am having a similar problem with a virus & popups on my computer as well.

I ran a scan using Webroot Spy Sweeper with Antivirus and it's finding the Virus found: Troj/Bckdr-QJL but when I try to quarantine, it fails.

What do you suggest?

In addition, everytime I use Internet Explorer I am getting multiple popups. I am constantly running Webroot and it will find items, which I then quarantine, but they seem to keep coming back.

Help!

noahdfear · 2007/09/16

Welcome to WindowsBBS ktongg

I've moved your post to it's own topic and we will continue here.

Lets start with a HijackThis log. Please download the HijackThis Installer from here, then run a scan and save the log. Post the contents of that log here.

Can you give us details of what's been found? Filename(s), locations?

ktongg · 2007/09/16

Thanks for your quick reply.

Here are the contents of the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:38:37 PM, on 9/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\CDProxyServ.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Aware2007.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2c7b2e6a-7eed-4f07-a37f-428d869d0d5b} - C:\WINDOWS\system32\gukpicg.dll
O2 - BHO: (no name) - {3B824EC0-A15D-4FBA-8CE9-D62D70B62679} - C:\WINDOWS\system32\ddcyy.dll (file missing)
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {E9BD0828-1FD9-410C-A50F-43EBE65D310F} - C:\WINDOWS\system32\tuvspqq.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Dell QuickSet] "C:\Program Files\Dell\QuickSet\quickset.exe "
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by111fd.bay111.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1189658592953
O20 - Winlogon Notify: tuvspqq - tuvspqq.dll (file missing)
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - First 4 Internet Ltd - C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: dlcd_device - Unknown owner - C:\WINDOWS\system32\dlcdcoms.exe
O23 - Service: dlcx_device - - C:\WINDOWS\system32\dlcxcoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O24 - Desktop Component 0: (no name) - C:\Program Files\MSN\projyfsic.html

--
End of file - 7996 bytes

noahdfear · 2007/09/16

First, you have the Sony rootkit that needs to be removed. Follow the instructions here for either manual or automatic removal (I recommend manual).

Once that's done, we'll go after the Vundo infection, starting with the following tool.

Download VundoFix by Atribune, saving it to your desktop.

Double-click VundoFix.exe to run it.

Click the Scan for Vundo button.

Once it's done scanning, click the Remove Vundo button.

You will receive a prompt asking if you want to remove the files, click YES

Once you click yes, your desktop will go blank as it starts removing Vundo.

When completed, it will prompt that it will reboot your computer, click OK.

Please post the contents of C:\vundofix.txt and a new HijackThis log in a reply to this topic.

Note: It is possible that VundoFix encounters a file it could not remove. In this case, VundoFix will run on reboot. If that happens, follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

ktongg · 2007/09/16

I tried to manually remove the Sony Rootkit and it said there was no such file. I then ran the automatic removal and it said the same.

After that I ran the VunduFix and it also said there were no files found.

noahdfear · 2007/09/16

Time for the big gun then.

Download ComboFix by sUBs from Here or Here, saving the file to your Desktop.

Close all open programs and windows

Double click combofix.exe and follow the prompts.

When finished, it will open a log for you. Post that log and a new HijackThis log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

ktongg · 2007/09/16

ComboFix Log:

ComboFix 07-09-14.2 - "Jamie" 2007-09-16 19:33:51.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.106 [GMT -7:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
C:\DOCUME~1\Dale\err.log
C:\DOCUME~1\Dale\ResErrors.log
C:\DOCUME~1\Jamie\APPLIC~1\AntiSpywareBot
C:\DOCUME~1\Jamie\APPLIC~1\AntiSpywareBot\Log\2007 Sep 12 - 12_00_29 AM_421.log
C:\DOCUME~1\Jamie\APPLIC~1\AntiSpywareBot\Log\2007 Sep 12 - 12_00_59 AM_625.log
C:\DOCUME~1\Jamie\APPLIC~1\AntiSpywareBot\Log\2007 Sep 12 - 12_27_49 AM_812.log
C:\DOCUME~1\Jamie\APPLIC~1\AntiSpywareBot\rs.dat
C:\DOCUME~1\Jamie\APPLIC~1\AntiSpywareBot\Settings\CustomScan.stg
C:\DOCUME~1\Jamie\APPLIC~1\AntiSpywareBot\Settings\IgnoreList.stg
C:\DOCUME~1\Jamie\APPLIC~1\AntiSpywareBot\Settings\ScanInfo.stg
C:\DOCUME~1\Jamie\APPLIC~1\AntiSpywareBot\Settings\ScanResults.stg
C:\DOCUME~1\Jamie\APPLIC~1\AntiSpywareBot\Settings\SelectedFolders.stg
C:\DOCUME~1\Jamie\APPLIC~1\AntiSpywareBot\Settings\Settings.stg
C:\DOCUME~1\Jamie\err.log
C:\DOCUME~1\Jamie\MYDOCU~1\FNTS~1
C:\DOCUME~1\Jamie\MYDOCU~1\FNTS~1\F?nts\
C:\DOCUME~1\Jamie\ResErrors.log
C:\Program Files\Common Files\Companion Wizard(2)
C:\Program Files\Common Files\Companion Wizard(2)\CompWiz.xml
C:\Program Files\MSN\projyfsic.html
C:\Temp\1cb
C:\Temp\fse
C:\WINDOWS\b122.exe
C:\WINDOWS\DOWNLO~1\UWA7P_0001_N99M2908NetInstaller.exe
C:\WINDOWS\system32\D2
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\gukpicg.dll
C:\WINDOWS\system32\hatydvdm.exe
C:\WINDOWS\system32\stera.log
C:\WINDOWS\Tasks.\AntiSpywareBot Scheduled Scan.job

.
((((((((((((((((((((((((( Files Created from 2007-08-17 to 2007-09-17 )))))))))))))))))))))))))))))))
.

2007-09-16 19:32 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-16 19:12 <DIR> d-------- C:\VundoFix Backups
2007-09-16 17:03 <DIR> d-------- C:\Program Files\Lavasoft
2007-09-16 17:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-09-16 17:02 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-13 22:22 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-09-13 18:50 <DIR> d-------- C:\DOCUME~1\Jamie\APPLIC~1\OfficeUpdate12
2007-09-13 18:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Office Genuine Advantage
2007-09-13 18:03 36,352 --------- C:\WINDOWS\system32\tsgqec.dll
2007-09-13 18:03 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll
2007-09-13 18:03 116,736 --------- C:\WINDOWS\system32\aaclient.dll
2007-09-13 17:57 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-09-13 07:36 135,168 --a------ C:\WINDOWS\system32\igfxres.dll
2007-09-12 23:23 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-09-12 23:05 <DIR> d-------- C:\Program Files\MSBuild
2007-09-12 22:58 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-09-12 22:56 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-09-12 22:53 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-09-12 22:52 <DIR> d-------- C:\87de99da81a8b87ad3498b1d8fb1edc4
2007-09-12 22:51 86,016 --a------ C:\WINDOWS\system32\preflib.dll
2007-09-12 22:51 757,760 --a------ C:\WINDOWS\system32\bcm1xsup.dll
2007-09-12 22:51 69,632 --a------ C:\WINDOWS\system32\bcmwlpkt.dll
2007-09-12 22:51 33,664 --a------ C:\WINDOWS\system32\drivers\BCMWLNPF.SYS
2007-09-12 22:51 2,129,920 --a------ C:\WINDOWS\system32\WLBCGCBPRO731.DLL
2007-09-12 19:20 2,016,421 ---hs---- C:\WINDOWS\system32\yycdd.ini2
2007-09-12 19:15 164 --a------ C:\install.dat
2007-09-12 18:34 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-09-12 18:34 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-09-12 18:34 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB8.sys
2007-09-12 18:34 163,128 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-09-12 18:34 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Webroot
2007-09-12 18:33 1,521,464 --a------ C:\WINDOWS\WRSetup.dll
2007-09-12 18:33 <DIR> d-------- C:\Program Files\Webroot
2007-09-12 18:33 <DIR> d-------- C:\DOCUME~1\Jamie\APPLIC~1\Webroot
2007-09-12 18:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot
2007-09-12 00:42 <DIR> d-------- C:\Program Files\Free Download Manager
2007-09-12 00:38 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-09-11 23:59 18,672 --a------ C:\WINDOWS\system32\drivers\antispyfilter.sys
2007-09-11 22:15 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Google
2007-09-11 22:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-11 21:40 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-09-11 21:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\ParetoLogic Anti-Spyware
2007-09-11 21:26 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Gtek
2007-09-11 20:04 <DIR> d-------- C:\Program Files\a-squared Free
2007-09-11 20:00 8,704 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-09-11 20:00 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-09-08 14:35 <DIR> d-------- C:\WINDOWS\uumm
2007-09-08 14:35 <DIR> d-------- C:\Program Files\Common Files\uumm
2007-09-07 23:07 2,008,051 ---hs---- C:\WINDOWS\system32\yycdd.bak2
2007-09-06 23:22 2,016,266 ---hs---- C:\WINDOWS\system32\yycdd.bak1
2007-09-06 23:14 <DIR> d--hs---- C:\WINDOWS\SmFtaWU
2007-09-06 23:14 <DIR> d-------- C:\WINDOWS\system32\drvr2
2007-09-06 23:14 <DIR> d-------- C:\WINDOWS\system32\cfig322
2007-09-06 23:14 <DIR> d-------- C:\WINDOWS\system32\capcam
2007-09-02 17:12 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-09-02 17:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-16 17:37 --------- d-------- C:\Program Files\Trend Micro
2007-09-12 22:50 --------- d-------- C:\Program Files\Dell
2007-09-12 21:34 --------- d--h----- C:\DOCUME~1\Jamie\APPLIC~1\Move Networks
2007-09-12 21:26 --------- d-------- C:\Program Files\Common Files\AOL
2007-09-12 21:26 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
2007-09-02 17:58 --------- d-------- C:\Program Files\iTunes
2007-09-02 17:18 --------- d-------- C:\Program Files\iPod
2007-09-02 17:16 --------- d-------- C:\Program Files\QuickTime
2007-09-02 17:05 --------- d-------- C:\Program Files\Apple Software Update
2007-08-27 10:49 --------- d-------- C:\Program Files\Dl_cats
2007-08-15 11:45 524288 --a------ C:\WINDOWS\opuc.dll
2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\dllcache\wups.dll
2007-07-30 19:18 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-28 16:09 --------- d-------- C:\DOCUME~1\Jamie\APPLIC~1\allTunes
2007-07-28 16:08 --------- d-------- C:\Program Files\allTunes
2007-07-28 16:08 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\allTunes
2007-07-18 23:59 3583488 --a------ C:\WINDOWS\system32\dllcache\mshtml.dll
2007-07-12 16:31 765952 --a------ C:\WINDOWS\system32\dllcache\vgx.dll
2007-06-27 07:34 823808 --a------ C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-27 07:34 671232 --a------ C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-27 07:34 6058496 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-06-27 07:34 52224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-06-27 07:34 477696 --a------ C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-27 07:34 459264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-06-27 07:34 44544 --------- C:\WINDOWS\system32\dllcache\iernonce.dll
2007-06-27 07:34 384512 --------- C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-06-27 07:34 383488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-06-27 07:34 27648 --a------ C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-27 07:34 267776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-06-27 07:34 232960 --------- C:\WINDOWS\system32\dllcache\webcheck.dll
2007-06-27 07:34 230400 --------- C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-06-27 07:34 193024 --a------ C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-27 07:34 153088 --------- C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-06-27 07:34 132608 --a------ C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-27 07:34 124928 --------- C:\WINDOWS\system32\dllcache\advpack.dll
2007-06-27 07:34 1152000 --a------ C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-27 07:34 105984 --------- C:\WINDOWS\system32\dllcache\url.dll
2007-06-27 07:34 102400 --------- C:\WINDOWS\system32\dllcache\occache.dll
2007-06-27 01:27 63488 --------- C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-06-27 01:27 625152 --------- C:\WINDOWS\system32\dllcache\iexplore.exe
2007-06-27 01:27 13824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-06-27 00:00 161792 --------- C:\WINDOWS\system32\dllcache\ieakui.dll
2007-06-25 23:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-25 23:08 1104896 --------- C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-19 06:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 06:31 282112 --------- C:\WINDOWS\system32\dllcache\gdi32.dll
2006-06-04 00:03:46 56 -csh--r C:\WINDOWS\system32\EBBBF25EFF.sys
2006-06-04 00:03:48 3,766 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3B824EC0-A15D-4FBA-8CE9-D62D70B62679}]
C:\WINDOWS\system32\ddcyy.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell QuickSet "= "C:\Program Files\Dell\QuickSet\quickset.exe" [2005-08-01 15:00]
"!AVG Anti-Spyware "= "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25]
"SpySweeper "= "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-07-19 22:54]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM "=C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools "=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvspqq]
tuvspqq.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages "= msv1_0 C:\\WINDOWS\\system32\\ddcyy

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk.disabled]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk.disabled
backup=C:\WINDOWS\pss\Digital Line Detect.lnk.disabledCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk.disabled]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk.disabled
backup=C:\WINDOWS\pss\hp psc 2000 Series.lnk.disabledCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk.disabled]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk.disabled
backup=C:\WINDOWS\pss\hpoddt01.exe.lnk.disabledCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk.disabled]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk.disabled
backup=C:\WINDOWS\pss\Microsoft Office.lnk.disabledCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Monitor.lnk.disabled]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Monitor.lnk.disabled
backup=C:\WINDOWS\pss\Monitor.lnk.disabledCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Jamie^Start Menu^Programs^Startup^TA_Start.lnk.disabled]
path=C:\Documents and Settings\Jamie\Start Menu\Programs\Startup\TA_Start.lnk.disabled
backup=C:\WINDOWS\pss\TA_Start.lnk.disabledStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
C:\WINDOWS\system32\WLTRAY.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
"C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell Wireless Manager UI]
C:\WINDOWS\system32\WLTRAY

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OE_OEM]
"C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TapiSrv "=3 (0x3)
"AOL ACS "=2 (0x2)
"PcCtlCom "=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"swg "=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
"MySpaceIM "=C:\Program Files\MySpace\IM\MySpaceIM.exe
"ModemOnHold "=C:\Program Files\NetWaiting\netWaiting.exe
"WebBuying "=C:\Program Files\Web Buying\v1.8.3\webbuying.exe
"uwa7pcw "= "C:\Program Files\Common Files\WinAntiVirus Pro 2007\uwa7pcw.exe" -c

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"dlcdmon.exe "= "C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe "
"dlcxmon.exe "= "C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe "
"DVDLauncher "= "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe "
"FaxCenterServer "= "C:\Program Files\Dell PC Fax\fm3032.exe" /s
"hovymifez "=C:\Program Files\Internet Explorer\hovymifez22011.exe
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe "
"MemoryCardManager "= "C:\Program Files\Dell Photo AIO Printer 926\memcard.exe "
"MimBoot "=C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
"MMTray "= "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe "
"pccguide.exe "= "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe "
"QuickTime Task "= "C:\Program Files\QuickTime\QTTask.exe" -atboottime
"SynTPEnh "=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
"SunJavaUpdateSched "=C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
"SigmatelSysTrayApp "=stsystra.exe
"RealTray "=C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

R0 $sys$cor;$sys$cor;C:\WINDOWS\system32\Drivers\$sys$cor.sys
R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;C:\WINDOWS\system32\Drivers\SSFS0BB8.SYS
R1 $sys$crater;$sys$crater;\??\C:\WINDOWS\system32\$sys$filesystem\crater.sys
R2 $sys$DRMServer;Plug and Play Device Manager;C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe
R2 CD_Proxy;XCP CD Proxy;C:\WINDOWS\CDProxyServ.exe
S3 dlcd_device;dlcd_device;C:\WINDOWS\system32\dlcdcoms.exe -service
S3 dlcx_device;dlcx_device;C:\WINDOWS\system32\dlcxcoms.exe -service
S3 gsplittm;gsplittm;\??\C:\DOCUME~1\Jamie\LOCALS~1\Temp\gsplittm.sys
S3 PCTINDIS5;PCTINDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\system32\PCTINDIS5.SYS
S3 sscdbus;SAMSUNG USB Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\sscdbus.sys
S3 sscdmdfl;SAMSUNG CDMA Modem Filter;C:\WINDOWS\system32\DRIVERS\sscdmdfl.sys
S3 sscdmdm;SAMSUNG CDMA Modem Drivers;C:\WINDOWS\system32\DRIVERS\sscdmdm.sys
S3 sscdserd;SAMSUNG CDMA Modem Diagnostic Serial Port (WDM);C:\WINDOWS\system32\DRIVERS\sscdserd.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-09-16 22:40:09 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job "
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-09-12 04:35:32 C:\WINDOWS\Tasks\Pareto UNS.job "
"2007-09-13 03:57:27 C:\WINDOWS\Tasks\wrSpySweeper_L0A602F69365B4797BD5AAB0E85F3FBE4.job "
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-16 19:40:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\$sys$cor]
"ImagePath "= "System32\Drivers\$sys$cor.sys "

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\$sys$crater]
"ImagePath "= "\??\C:\WINDOWS\system32\$sys$filesystem\crater.sys "

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\$sys$DRMServer]
"ImagePath "= "C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe "
.
Completion time: 2007-09-16 19:43:59 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-16 19:43
.
--- E O F ---

HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:45:27 PM, on 9/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\CDProxyServ.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3B824EC0-A15D-4FBA-8CE9-D62D70B62679} - C:\WINDOWS\system32\ddcyy.dll (file missing)
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Dell QuickSet] "C:\Program Files\Dell\QuickSet\quickset.exe "
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by111fd.bay111.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1189658592953
O20 - Winlogon Notify: tuvspqq - tuvspqq.dll (file missing)
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - First 4 Internet Ltd - C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: dlcd_device - Unknown owner - C:\WINDOWS\system32\dlcdcoms.exe
O23 - Service: dlcx_device - - C:\WINDOWS\system32\dlcxcoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7243 bytes

noahdfear · 2007/09/16

Copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)
Code:
File::
C:\WINDOWS\system32\yycdd.ini2
C:\WINDOWS\system32\yycdd.bak2
C:\WINDOWS\system32\yycdd.bak1
C:\WINDOWS\system32\EBBBF25EFF.sys

Folder::
C:\WINDOWS\SmFtaWU
C:\WINDOWS\system32\drvr2
C:\WINDOWS\system32\cfig322
C:\WINDOWS\system32\capcam

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3B824EC0-A15D-4FBA-8CE9-D62D70B62679}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvspqq] 
[HKEY_LOCAL_MACHINE\system\currentcontrolset\[COLOR="Black"]control[/COLOR]\lsa]
 "Authentication Packages "=  "msv1_0 "
[HKEY_CURRENT_USER\software\microsoft\windows\[COLOR="black"]currentversion[/COLOR]\run-]
 "uwa7pcw "=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\[COLOR="black"]currentversion[/COLOR]\run-]
 "hovymifez "=-

Driver::
gsplittm
Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log along with a fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

ktongg · 2007/09/16

ComboFix 07-09-14.2 - "Jamie" 2007-09-16 20:23:34.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.150 [GMT -7:00]
.

((((((((((((((((((((((((( Files Created from 2007-08-17 to 2007-09-17 )))))))))))))))))))))))))))))))
.

2007-09-16 19:32 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-16 19:12 <DIR> d-------- C:\VundoFix Backups
2007-09-16 17:03 <DIR> d-------- C:\Program Files\Lavasoft
2007-09-16 17:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-09-16 17:02 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-13 22:22 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-09-13 18:50 <DIR> d-------- C:\DOCUME~1\Jamie\APPLIC~1\OfficeUpdate12
2007-09-13 18:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Office Genuine Advantage
2007-09-13 18:03 36,352 --------- C:\WINDOWS\system32\tsgqec.dll
2007-09-13 18:03 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll
2007-09-13 18:03 116,736 --------- C:\WINDOWS\system32\aaclient.dll
2007-09-13 17:57 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-09-13 07:36 135,168 --a------ C:\WINDOWS\system32\igfxres.dll
2007-09-12 23:23 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-09-12 23:05 <DIR> d-------- C:\Program Files\MSBuild
2007-09-12 22:58 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-09-12 22:56 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-09-12 22:53 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-09-12 22:52 <DIR> d-------- C:\87de99da81a8b87ad3498b1d8fb1edc4
2007-09-12 22:51 86,016 --a------ C:\WINDOWS\system32\preflib.dll
2007-09-12 22:51 757,760 --a------ C:\WINDOWS\system32\bcm1xsup.dll
2007-09-12 22:51 69,632 --a------ C:\WINDOWS\system32\bcmwlpkt.dll
2007-09-12 22:51 33,664 --a------ C:\WINDOWS\system32\drivers\BCMWLNPF.SYS
2007-09-12 22:51 2,129,920 --a------ C:\WINDOWS\system32\WLBCGCBPRO731.DLL
2007-09-12 19:20 2,016,421 ---hs---- C:\WINDOWS\system32\yycdd.ini2
2007-09-12 19:15 164 --a------ C:\install.dat
2007-09-12 18:34 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-09-12 18:34 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-09-12 18:34 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB8.sys
2007-09-12 18:34 163,128 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-09-12 18:34 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Webroot
2007-09-12 18:33 1,521,464 --a------ C:\WINDOWS\WRSetup.dll
2007-09-12 18:33 <DIR> d-------- C:\Program Files\Webroot
2007-09-12 18:33 <DIR> d-------- C:\DOCUME~1\Jamie\APPLIC~1\Webroot
2007-09-12 18:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot
2007-09-12 00:42 <DIR> d-------- C:\Program Files\Free Download Manager
2007-09-12 00:38 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-09-11 23:59 18,672 --a------ C:\WINDOWS\system32\drivers\antispyfilter.sys
2007-09-11 22:15 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Google
2007-09-11 22:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-11 21:40 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-09-11 21:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\ParetoLogic Anti-Spyware
2007-09-11 21:26 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Gtek
2007-09-11 20:04 <DIR> d-------- C:\Program Files\a-squared Free
2007-09-11 20:00 8,704 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-09-11 20:00 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-09-08 14:35 <DIR> d-------- C:\WINDOWS\uumm
2007-09-08 14:35 <DIR> d-------- C:\Program Files\Common Files\uumm
2007-09-07 23:07 2,008,051 ---hs---- C:\WINDOWS\system32\yycdd.bak2
2007-09-06 23:22 2,016,266 ---hs---- C:\WINDOWS\system32\yycdd.bak1
2007-09-06 23:14 <DIR> d--hs---- C:\WINDOWS\SmFtaWU
2007-09-06 23:14 <DIR> d-------- C:\WINDOWS\system32\drvr2
2007-09-06 23:14 <DIR> d-------- C:\WINDOWS\system32\cfig322
2007-09-06 23:14 <DIR> d-------- C:\WINDOWS\system32\capcam
2007-09-02 17:12 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-09-02 17:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-16 17:37 --------- d-------- C:\Program Files\Trend Micro
2007-09-12 22:50 --------- d-------- C:\Program Files\Dell
2007-09-12 21:34 --------- d--h----- C:\DOCUME~1\Jamie\APPLIC~1\Move Networks
2007-09-12 21:26 --------- d-------- C:\Program Files\Common Files\AOL
2007-09-12 21:26 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
2007-09-02 17:58 --------- d-------- C:\Program Files\iTunes
2007-09-02 17:18 --------- d-------- C:\Program Files\iPod
2007-09-02 17:16 --------- d-------- C:\Program Files\QuickTime
2007-09-02 17:05 --------- d-------- C:\Program Files\Apple Software Update
2007-08-27 10:49 --------- d-------- C:\Program Files\Dl_cats
2007-08-15 11:45 524288 --a------ C:\WINDOWS\opuc.dll
2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\dllcache\wups.dll
2007-07-30 19:18 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-28 16:09 --------- d-------- C:\DOCUME~1\Jamie\APPLIC~1\allTunes
2007-07-28 16:08 --------- d-------- C:\Program Files\allTunes
2007-07-28 16:08 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\allTunes
2007-07-18 23:59 3583488 --a------ C:\WINDOWS\system32\dllcache\mshtml.dll
2007-07-12 16:31 765952 --a------ C:\WINDOWS\system32\dllcache\vgx.dll
2007-06-27 07:34 823808 --a------ C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-27 07:34 671232 --a------ C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-27 07:34 6058496 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-06-27 07:34 52224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-06-27 07:34 477696 --a------ C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-27 07:34 459264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-06-27 07:34 44544 --------- C:\WINDOWS\system32\dllcache\iernonce.dll
2007-06-27 07:34 384512 --------- C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-06-27 07:34 383488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-06-27 07:34 27648 --a------ C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-27 07:34 267776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-06-27 07:34 232960 --------- C:\WINDOWS\system32\dllcache\webcheck.dll
2007-06-27 07:34 230400 --------- C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-06-27 07:34 193024 --a------ C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-27 07:34 153088 --------- C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-06-27 07:34 132608 --a------ C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-27 07:34 124928 --------- C:\WINDOWS\system32\dllcache\advpack.dll
2007-06-27 07:34 1152000 --a------ C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-27 07:34 105984 --------- C:\WINDOWS\system32\dllcache\url.dll
2007-06-27 07:34 102400 --------- C:\WINDOWS\system32\dllcache\occache.dll
2007-06-27 01:27 63488 --------- C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-06-27 01:27 625152 --------- C:\WINDOWS\system32\dllcache\iexplore.exe
2007-06-27 01:27 13824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-06-27 00:00 161792 --------- C:\WINDOWS\system32\dllcache\ieakui.dll
2007-06-25 23:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-25 23:08 1104896 --------- C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-19 06:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 06:31 282112 --------- C:\WINDOWS\system32\dllcache\gdi32.dll
2006-06-04 00:03:46 56 -csh--r C:\WINDOWS\system32\EBBBF25EFF.sys
2006-06-04 00:03:48 3,766 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3B824EC0-A15D-4FBA-8CE9-D62D70B62679}]
C:\WINDOWS\system32\ddcyy.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell QuickSet "= "C:\Program Files\Dell\QuickSet\quickset.exe" [2005-08-01 15:00]
"!AVG Anti-Spyware "= "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25]
"SpySweeper "= "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-07-19 22:54]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM "=C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvspqq]
tuvspqq.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages "= msv1_0 C:\\WINDOWS\\system32\\ddcyy

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk.disabled]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk.disabled
backup=C:\WINDOWS\pss\Digital Line Detect.lnk.disabledCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk.disabled]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk.disabled
backup=C:\WINDOWS\pss\hp psc 2000 Series.lnk.disabledCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk.disabled]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk.disabled
backup=C:\WINDOWS\pss\hpoddt01.exe.lnk.disabledCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk.disabled]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk.disabled
backup=C:\WINDOWS\pss\Microsoft Office.lnk.disabledCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Monitor.lnk.disabled]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Monitor.lnk.disabled
backup=C:\WINDOWS\pss\Monitor.lnk.disabledCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Jamie^Start Menu^Programs^Startup^TA_Start.lnk.disabled]
path=C:\Documents and Settings\Jamie\Start Menu\Programs\Startup\TA_Start.lnk.disabled
backup=C:\WINDOWS\pss\TA_Start.lnk.disabledStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
C:\WINDOWS\system32\WLTRAY.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
"C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell Wireless Manager UI]
C:\WINDOWS\system32\WLTRAY

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OE_OEM]
"C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TapiSrv "=3 (0x3)
"AOL ACS "=2 (0x2)
"PcCtlCom "=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"swg "=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
"MySpaceIM "=C:\Program Files\MySpace\IM\MySpaceIM.exe
"ModemOnHold "=C:\Program Files\NetWaiting\netWaiting.exe
"WebBuying "=C:\Program Files\Web Buying\v1.8.3\webbuying.exe
"uwa7pcw "= "C:\Program Files\Common Files\WinAntiVirus Pro 2007\uwa7pcw.exe" -c

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"dlcdmon.exe "= "C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe "
"dlcxmon.exe "= "C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe "
"DVDLauncher "= "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe "
"FaxCenterServer "= "C:\Program Files\Dell PC Fax\fm3032.exe" /s
"hovymifez "=C:\Program Files\Internet Explorer\hovymifez22011.exe
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe "
"MemoryCardManager "= "C:\Program Files\Dell Photo AIO Printer 926\memcard.exe "
"MimBoot "=C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
"MMTray "= "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe "
"pccguide.exe "= "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe "
"QuickTime Task "= "C:\Program Files\QuickTime\QTTask.exe" -atboottime
"SynTPEnh "=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
"SunJavaUpdateSched "=C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
"SigmatelSysTrayApp "=stsystra.exe
"RealTray "=C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

R0 $sys$cor;$sys$cor;C:\WINDOWS\system32\Drivers\$sys$cor.sys
R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;C:\WINDOWS\system32\Drivers\SSFS0BB8.SYS
R1 $sys$crater;$sys$crater;\??\C:\WINDOWS\system32\$sys$filesystem\crater.sys
R2 $sys$DRMServer;Plug and Play Device Manager;C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe
R2 CD_Proxy;XCP CD Proxy;C:\WINDOWS\CDProxyServ.exe
S3 dlcd_device;dlcd_device;C:\WINDOWS\system32\dlcdcoms.exe -service
S3 dlcx_device;dlcx_device;C:\WINDOWS\system32\dlcxcoms.exe -service
S3 gsplittm;gsplittm;\??\C:\DOCUME~1\Jamie\LOCALS~1\Temp\gsplittm.sys
S3 PCTINDIS5;PCTINDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\system32\PCTINDIS5.SYS
S3 sscdbus;SAMSUNG USB Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\sscdbus.sys
S3 sscdmdfl;SAMSUNG CDMA Modem Filter;C:\WINDOWS\system32\DRIVERS\sscdmdfl.sys
S3 sscdmdm;SAMSUNG CDMA Modem Drivers;C:\WINDOWS\system32\DRIVERS\sscdmdm.sys
S3 sscdserd;SAMSUNG CDMA Modem Diagnostic Serial Port (WDM);C:\WINDOWS\system32\DRIVERS\sscdserd.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-09-16 22:40:09 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job "
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-09-12 04:35:32 C:\WINDOWS\Tasks\Pareto UNS.job "
"2007-09-13 03:57:27 C:\WINDOWS\Tasks\wrSpySweeper_L0A602F69365B4797BD5AAB0E85F3FBE4.job "
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-16 20:27:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\$sys$cor]
"ImagePath "= "System32\Drivers\$sys$cor.sys "

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\$sys$crater]
"ImagePath "= "\??\C:\WINDOWS\system32\$sys$filesystem\crater.sys "

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\$sys$DRMServer]
"ImagePath "= "C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe "
.
Completion time: 2007-09-16 20:29:48
C:\ComboFix-quarantined-files.txt ... 2007-09-16 20:29
C:\ComboFix2.txt ... 2007-09-16 19:43
.
--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:32:28 PM, on 9/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\CDProxyServ.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3B824EC0-A15D-4FBA-8CE9-D62D70B62679} - C:\WINDOWS\system32\ddcyy.dll (file missing)
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Dell QuickSet] "C:\Program Files\Dell\QuickSet\quickset.exe "
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by111fd.bay111.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1189658592953
O20 - Winlogon Notify: tuvspqq - tuvspqq.dll (file missing)
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - First 4 Internet Ltd - C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: dlcd_device - Unknown owner - C:\WINDOWS\system32\dlcdcoms.exe
O23 - Service: dlcx_device - - C:\WINDOWS\system32\dlcxcoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7181 bytes

noahdfear · 2007/09/16

You didn't run it properly that time. Please go back to my previous post and redo the CFScript.txt instructions. After creating the CFScript.txt file, you have to drag it on top of ComboFix.exe and drop it.

ktongg · 2007/09/16

okay i think I did it right this time:

ComboFix 07-09-14.2 - "Jamie" 2007-09-16 20:42:12.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.118 [GMT -7:00]
Command switches used :: C:\Documents and Settings\Jamie\Desktop\virus problem\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\yycdd.ini2
C:\WINDOWS\system32\yycdd.bak2
C:\WINDOWS\system32\yycdd.bak1
C:\WINDOWS\system32\EBBBF25EFF.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\SmFtaWU
C:\WINDOWS\system32\capcam
C:\WINDOWS\system32\cfig322
C:\WINDOWS\system32\drvr2
C:\WINDOWS\system32\EBBBF25EFF.sys
C:\WINDOWS\system32\yycdd.bak1
C:\WINDOWS\system32\yycdd.bak2
C:\WINDOWS\system32\yycdd.ini2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_GSPLITTM
-------\gsplittm

((((((((((((((((((((((((( Files Created from 2007-08-17 to 2007-09-17 )))))))))))))))))))))))))))))))
.

2007-09-16 19:32 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-16 19:12 <DIR> d-------- C:\VundoFix Backups
2007-09-16 17:03 <DIR> d-------- C:\Program Files\Lavasoft
2007-09-16 17:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-09-16 17:02 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-13 22:22 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-09-13 18:50 <DIR> d-------- C:\DOCUME~1\Jamie\APPLIC~1\OfficeUpdate12
2007-09-13 18:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Office Genuine Advantage
2007-09-13 18:03 36,352 --------- C:\WINDOWS\system32\tsgqec.dll
2007-09-13 18:03 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll
2007-09-13 18:03 116,736 --------- C:\WINDOWS\system32\aaclient.dll
2007-09-13 17:57 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-09-13 07:36 135,168 --a------ C:\WINDOWS\system32\igfxres.dll
2007-09-12 23:23 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-09-12 23:05 <DIR> d-------- C:\Program Files\MSBuild
2007-09-12 22:58 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-09-12 22:56 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-09-12 22:53 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-09-12 22:52 <DIR> d-------- C:\87de99da81a8b87ad3498b1d8fb1edc4
2007-09-12 22:51 86,016 --a------ C:\WINDOWS\system32\preflib.dll
2007-09-12 22:51 757,760 --a------ C:\WINDOWS\system32\bcm1xsup.dll
2007-09-12 22:51 69,632 --a------ C:\WINDOWS\system32\bcmwlpkt.dll
2007-09-12 22:51 33,664 --a------ C:\WINDOWS\system32\drivers\BCMWLNPF.SYS
2007-09-12 22:51 2,129,920 --a------ C:\WINDOWS\system32\WLBCGCBPRO731.DLL
2007-09-12 19:15 164 --a------ C:\install.dat
2007-09-12 18:34 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-09-12 18:34 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-09-12 18:34 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB8.sys
2007-09-12 18:34 163,128 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-09-12 18:34 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Webroot
2007-09-12 18:33 1,521,464 --a------ C:\WINDOWS\WRSetup.dll
2007-09-12 18:33 <DIR> d-------- C:\Program Files\Webroot
2007-09-12 18:33 <DIR> d-------- C:\DOCUME~1\Jamie\APPLIC~1\Webroot
2007-09-12 18:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot
2007-09-12 00:42 <DIR> d-------- C:\Program Files\Free Download Manager
2007-09-12 00:38 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-09-11 23:59 18,672 --a------ C:\WINDOWS\system32\drivers\antispyfilter.sys
2007-09-11 22:15 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Google
2007-09-11 22:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-11 21:40 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-09-11 21:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\ParetoLogic Anti-Spyware
2007-09-11 21:26 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Gtek
2007-09-11 20:04 <DIR> d-------- C:\Program Files\a-squared Free
2007-09-11 20:00 8,704 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-09-11 20:00 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-09-08 14:35 <DIR> d-------- C:\WINDOWS\uumm
2007-09-08 14:35 <DIR> d-------- C:\Program Files\Common Files\uumm
2007-09-02 17:12 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-09-02 17:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-16 17:37 --------- d-------- C:\Program Files\Trend Micro
2007-09-12 22:50 --------- d-------- C:\Program Files\Dell
2007-09-12 21:34 --------- d--h----- C:\DOCUME~1\Jamie\APPLIC~1\Move Networks
2007-09-12 21:26 --------- d-------- C:\Program Files\Common Files\AOL
2007-09-12 21:26 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
2007-09-02 17:58 --------- d-------- C:\Program Files\iTunes
2007-09-02 17:18 --------- d-------- C:\Program Files\iPod
2007-09-02 17:16 --------- d-------- C:\Program Files\QuickTime
2007-09-02 17:05 --------- d-------- C:\Program Files\Apple Software Update
2007-08-27 10:49 --------- d-------- C:\Program Files\Dl_cats
2007-08-15 11:45 524288 --a------ C:\WINDOWS\opuc.dll
2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\dllcache\wups.dll
2007-07-30 19:18 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-28 16:09 --------- d-------- C:\DOCUME~1\Jamie\APPLIC~1\allTunes
2007-07-28 16:08 --------- d-------- C:\Program Files\allTunes
2007-07-28 16:08 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\allTunes
2007-07-18 23:59 3583488 --a------ C:\WINDOWS\system32\dllcache\mshtml.dll
2007-07-12 16:31 765952 --a------ C:\WINDOWS\system32\dllcache\vgx.dll
2007-06-27 07:34 823808 --a------ C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-27 07:34 671232 --a------ C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-27 07:34 6058496 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-06-27 07:34 52224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-06-27 07:34 477696 --a------ C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-27 07:34 459264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-06-27 07:34 44544 --------- C:\WINDOWS\system32\dllcache\iernonce.dll
2007-06-27 07:34 384512 --------- C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-06-27 07:34 383488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-06-27 07:34 27648 --a------ C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-27 07:34 267776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-06-27 07:34 232960 --------- C:\WINDOWS\system32\dllcache\webcheck.dll
2007-06-27 07:34 230400 --------- C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-06-27 07:34 193024 --a------ C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-27 07:34 153088 --------- C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-06-27 07:34 132608 --a------ C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-27 07:34 124928 --------- C:\WINDOWS\system32\dllcache\advpack.dll
2007-06-27 07:34 1152000 --a------ C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-27 07:34 105984 --------- C:\WINDOWS\system32\dllcache\url.dll
2007-06-27 07:34 102400 --------- C:\WINDOWS\system32\dllcache\occache.dll
2007-06-27 01:27 63488 --------- C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-06-27 01:27 625152 --------- C:\WINDOWS\system32\dllcache\iexplore.exe
2007-06-27 01:27 13824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-06-27 00:00 161792 --------- C:\WINDOWS\system32\dllcache\ieakui.dll
2007-06-25 23:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-25 23:08 1104896 --------- C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-19 06:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 06:31 282112 --------- C:\WINDOWS\system32\dllcache\gdi32.dll
2006-06-04 00:03:48 3,766 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell QuickSet "= "C:\Program Files\Dell\QuickSet\quickset.exe" [2005-08-01 15:00]
"!AVG Anti-Spyware "= "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25]
"SpySweeper "= "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-07-19 22:54]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM "=C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools "=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk.disabled]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk.disabled
backup=C:\WINDOWS\pss\Digital Line Detect.lnk.disabledCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk.disabled]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk.disabled
backup=C:\WINDOWS\pss\hp psc 2000 Series.lnk.disabledCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk.disabled]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk.disabled
backup=C:\WINDOWS\pss\hpoddt01.exe.lnk.disabledCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk.disabled]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk.disabled
backup=C:\WINDOWS\pss\Microsoft Office.lnk.disabledCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Monitor.lnk.disabled]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Monitor.lnk.disabled
backup=C:\WINDOWS\pss\Monitor.lnk.disabledCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Jamie^Start Menu^Programs^Startup^TA_Start.lnk.disabled]
path=C:\Documents and Settings\Jamie\Start Menu\Programs\Startup\TA_Start.lnk.disabled
backup=C:\WINDOWS\pss\TA_Start.lnk.disabledStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
C:\WINDOWS\system32\WLTRAY.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
"C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell Wireless Manager UI]
C:\WINDOWS\system32\WLTRAY

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OE_OEM]
"C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TapiSrv "=3 (0x3)
"AOL ACS "=2 (0x2)
"PcCtlCom "=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"swg "=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
"MySpaceIM "=C:\Program Files\MySpace\IM\MySpaceIM.exe
"ModemOnHold "=C:\Program Files\NetWaiting\netWaiting.exe
"WebBuying "=C:\Program Files\Web Buying\v1.8.3\webbuying.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"dlcdmon.exe "= "C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe "
"dlcxmon.exe "= "C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe "
"DVDLauncher "= "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe "
"FaxCenterServer "= "C:\Program Files\Dell PC Fax\fm3032.exe" /s
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe "
"MemoryCardManager "= "C:\Program Files\Dell Photo AIO Printer 926\memcard.exe "
"MimBoot "=C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
"MMTray "= "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe "
"pccguide.exe "= "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe "
"QuickTime Task "= "C:\Program Files\QuickTime\QTTask.exe" -atboottime
"SynTPEnh "=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
"SunJavaUpdateSched "=C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
"SigmatelSysTrayApp "=stsystra.exe
"RealTray "=C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

R0 $sys$cor;$sys$cor;C:\WINDOWS\system32\Drivers\$sys$cor.sys
R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;C:\WINDOWS\system32\Drivers\SSFS0BB8.SYS
R1 $sys$crater;$sys$crater;\??\C:\WINDOWS\system32\$sys$filesystem\crater.sys
R2 $sys$DRMServer;Plug and Play Device Manager;C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe
R2 CD_Proxy;XCP CD Proxy;C:\WINDOWS\CDProxyServ.exe
S3 dlcd_device;dlcd_device;C:\WINDOWS\system32\dlcdcoms.exe -service
S3 dlcx_device;dlcx_device;C:\WINDOWS\system32\dlcxcoms.exe -service
S3 PCTINDIS5;PCTINDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\system32\PCTINDIS5.SYS
S3 sscdbus;SAMSUNG USB Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\sscdbus.sys
S3 sscdmdfl;SAMSUNG CDMA Modem Filter;C:\WINDOWS\system32\DRIVERS\sscdmdfl.sys
S3 sscdmdm;SAMSUNG CDMA Modem Drivers;C:\WINDOWS\system32\DRIVERS\sscdmdm.sys
S3 sscdserd;SAMSUNG CDMA Modem Diagnostic Serial Port (WDM);C:\WINDOWS\system32\DRIVERS\sscdserd.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-09-16 22:40:09 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job "
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-09-12 04:35:32 C:\WINDOWS\Tasks\Pareto UNS.job "
"2007-09-13 03:57:27 C:\WINDOWS\Tasks\wrSpySweeper_L0A602F69365B4797BD5AAB0E85F3FBE4.job "
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-16 20:55:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\$sys$cor]
"ImagePath "= "System32\Drivers\$sys$cor.sys "

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\$sys$crater]
"ImagePath "= "\??\C:\WINDOWS\system32\$sys$filesystem\crater.sys "

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\$sys$DRMServer]
"ImagePath "= "C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe "
.
Completion time: 2007-09-16 20:58:52 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-16 20:58
C:\ComboFix2.txt ... 2007-09-16 20:29
C:\ComboFix3.txt ... 2007-09-16 19:43
.
--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:59:28 PM, on 9/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\CDProxyServ.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Dell QuickSet] "C:\Program Files\Dell\QuickSet\quickset.exe "
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by111fd.bay111.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1189658592953
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - First 4 Internet Ltd - C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: dlcd_device - Unknown owner - C:\WINDOWS\system32\dlcdcoms.exe
O23 - Service: dlcx_device - - C:\WINDOWS\system32\dlcxcoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7079 bytes

noahdfear · 2007/09/16

Perfect!

Now, scan again with HijackThis and place a check next to the following entry, then click Fix Checked.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Tell me what is in these 2 folders please.

C:\WINDOWS\uumm
C:\Program Files\Common Files\uumm

Lets get an online scan now too. Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:

Once the files have been downloaded click on NEXT

Now click on Scan Settings

In the scan settings make that the following are selected:

Scan using the following Anti-Virus database:

Extended (if available otherwise Standard)

Scan Options:

Scan Archives
Scan Mail Bases

Click OK

Now under select a target to scan:

Select My Computer

This will program will start and scan your system.

The scan will take a while so be patient and let it run.

Once the scan is complete it will display if your system has been infected.

Now click on the Save as Text button:

Save the file to your desktop.

Post the Kaspersky log and one more fresh HijackThis log.

ktongg · 2007/09/16

The folder C:\WINDOWS\uumm contatains to files: one DAT file titled UUMM, and one File titled WU

The folder C:\Program Files\Common Files\uumm contains a folder uummd, which contains nothing.

I will run the next scan and then post the log.

noahdfear · 2007/09/16

Right click the WU file in the windows\uumm and select properties. Is there any company, version, etc info anywhere?

ktongg · 2007/09/17

No info in the properties other than when it was created & modified:

Created: Saturday, September 08, 2007, 2:35:31 PM
Modified: Friday, July 26, 2002, 5:02:06 PM

Here's the logs from the kaspersky skan & hijackthis:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, September 17, 2007 7:25:25 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 17/09/2007
Kaspersky Anti-Virus database records: 419560
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 78383
Number of viruses found: 11
Number of infected objects: 26
Number of suspicious objects: 0
Duration of the scan process: 01:11:55

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare Object is locked skipped
C:\Documents and Settings\Jamie\Application Data\Webroot\Spy Sweeper\Logs\070916205624.ses Object is locked skipped
C:\Documents and Settings\Jamie\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Jamie\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Jamie\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Jamie\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jamie\Local Settings\Temp\~DF9C44.tmp Object is locked skipped
C:\Documents and Settings\Jamie\Local Settings\Temp\~DF9C54.tmp Object is locked skipped
C:\Documents and Settings\Jamie\Local Settings\Temp\~DFDCAF.tmp Object is locked skipped
C:\Documents and Settings\Jamie\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Jamie\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jamie\ntuser.dat Object is locked skipped
C:\Documents and Settings\Jamie\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Data\settings.dat Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS057B5D3F-C4BE-4376-81A5-BD836392B2F2.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS06CDD324-EC6F-49A1-9A4B-0A6ED3B6917F.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS09420CED-5B12-4858-83EC-243647B30AC7.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS09A199BB-97B6-4081-9744-C290CA25E174.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS0B60001A-1880-49F9-9F65-6506AEC631D5.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS1656906D-FE6B-421B-8688-22F031FE94D0.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS1BFAD676-0224-4141-B045-9EC40F406A1C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS1FDB9540-B4DC-4409-ABA4-3B831D39ED1C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS270B996C-D92D-43C5-8B41-9A28B19C23F8.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS279FF63A-A733-47DD-9B59-0311BC8F9933.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS27FD4F13-5D71-4A00-9200-1EB1433D97F7.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS29117F43-E81E-40B3-ABAB-CE6FCD21202E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS293A9A00-6A6F-4983-8AF7-07974950C8C8.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS2942E813-99E0-480C-947A-8DE8502F42F1.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS337DD994-3E53-4654-A1E3-BC57791809DA.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS343BB09B-8AF9-4DAD-A4A9-EC3A3B016820.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS3876EDFF-531C-4CA5-A26E-7129CFD8AA09.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS3AD8E18D-DD81-4997-B762-DCF84433A58D.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS3B39C5DE-54C7-4036-BAB7-D4CE5B1436D4.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS3D2B2A10-A94F-4D49-9E96-E74F17A44EFE.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS3EB23913-924F-4762-B3AD-7A4B734B4BCA.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS419B57DA-5B1D-4827-9408-BAC477BDBE08.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS451670B8-A0FA-43F3-A729-FDEFB1849174.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS46CA31C7-BA01-4AF2-B0BC-0A6787637696.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS48BAA88D-74C6-4B31-8801-03E48F431F0F.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS4CBE660E-D129-4298-B30F-B44392BEE95C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS4CC5B27D-D10A-48CC-8E44-E1EABAF6D590.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS501C644E-DC0B-4FBE-B97F-8811AE20BAE6.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS526E2A42-45FE-44FD-9B7E-3FA8BDCA5F64.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS591FD55A-69AC-4E54-BE9E-F5DC55899E56.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS5C1E0837-F05D-4BC5-B030-AAC4A82B9B91.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS5EA63C3E-B650-431E-BA35-606AF56316A4.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS64B76ABC-1290-4483-9855-CC545F0F044E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS6850E6F6-0CCF-4C70-85D7-D90E7104AC1E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS68802932-7913-4FEC-AC65-6BFEEE77974C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS6C018455-7450-4E65-A652-4170E54E8EFA.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS6C679BD4-FF33-44DE-88A7-38DB7F849BDF.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS6E5CB559-93A0-4BBC-90AD-480166505051.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS72FE31E0-8E11-4B08-99CD-65DA709057F7.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS784CBE19-14DF-4779-B8D6-8EF02C8D2639.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS78D7442A-9EC7-4BD3-A9DD-8F4442FC81C3.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS7FC37482-65EC-4650-A9EA-8173544C564E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS850552A6-831B-479C-A079-BB2E7C292C95.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS86EE3BEF-5DD2-4F85-B79E-406A182359C2.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS89BBA319-B1AE-4152-8F07-33FE366A8F74.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS89F6EC49-92C9-47D9-8B0F-8664AA85F950.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS8AD25767-0AEB-40E3-9681-1EDFB70DF0E0.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS8AECC53D-CB7E-4A0E-9E22-273E4B4F31CC.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS90B32AA8-FC28-4EDC-9533-8F0BC342897C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS95DB520A-A445-4DF4-A784-14DB4E873A40.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS96A1476F-45BE-485B-B2AA-A00884C1464B.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS9771023C-52FA-4EE5-B9A7-94ADAAF4A755.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS9C660AA9-BD6F-43B1-914A-16FE7D87E386.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS9E98CE22-B2FD-4C2C-B8AC-49BA41711AF2.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSA72626B0-4D9C-4A84-9F33-ACA875C63491.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSAAF19B4E-95E4-44E9-9F5C-B9D56CC742E5.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSADB4C502-C942-4077-93E4-96C2A1ACA70B.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSB4FAAB3D-7DEC-47E4-9955-8ECB1604EEAC.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSBB25B578-A4D9-4125-BB72-893909EF2182.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSBB8EE815-4B07-4B01-B0FC-01D35C22303C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSBC402AE8-7094-4930-850C-854D6940BEA7.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSBCC2418A-01CB-4BC2-8DDE-E5D66ED2CE17.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSBCF9B817-3294-4840-B5AA-AC190F46CD32.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSBD46048C-8C02-49E9-8896-60A8E9DF6D24.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSBDBF7409-C666-4130-9D53-19F2C86461AE.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSBEB363E3-E0DB-4C51-95D0-0EBF783EBACD.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSCB49AB61-003E-4752-BF02-431D639E4C48.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSCBD6C7C0-2114-469F-B27B-8549351E2617.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSCCB66FFD-93E8-4E4F-952A-4155611BDB37.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSCDD2EF51-3822-4773-BE9C-6A6BCF1FD1B2.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSCEABE80F-88D9-498B-B7B0-235D4CDFFFA7.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSD061D635-9896-4F20-98F5-6296B4E18816.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSD28F69B8-64C5-4835-AAAD-B284EC6DFBA5.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSD464FBE5-3487-4F1E-ACC0-24FB763E84D3.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSD6B089CD-0C79-4C46-B2E4-B544C1C6B94E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSDB7696FC-BBD9-4802-BF02-CE6887DB273B.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSDC659F89-C34A-41C6-BCA6-66D44AC11A04.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSE3FB9E3B-65F8-4DE6-A080-23D7222B37DD.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSE6705911-0843-4B5E-8D97-E55884F2C1AB.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSE8A0F9FC-02D6-4F5F-8FC7-C9142211ED89.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSEB226700-BF77-46A3-A492-150F835AF4CC.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSEBEA36D3-08FE-4B52-898B-C577D9B48825.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSEEE2D2D8-6442-41CC-819B-965149747E49.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSEF7C9B63-07A7-4F66-A846-3DCB71EA2E8B.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSF231DB86-4D31-46BA-A398-C7CBE4496034.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSF67A4B0D-CE33-4AED-9B54-A52E494E56E1.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSF83CAB80-DE28-4080-B8B0-700FF5450A43.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSFB0FDF0F-9EFD-42A0-9099-72659AC1B98B.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSFFEC5556-6113-4F86-8EFA-0850A26B8A57.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.bak Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\Masters.const Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.mst Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters.base Object is locked skipped
C:\qoobox\Quarantine\C\WINDOWS\b122.exe.vir Infected: not-a-virus:AdWare.Win32.Rond.c skipped
C:\qoobox\Quarantine\C\WINDOWS\DOWNLO~1\UWA7P_0001_N99M2908NetInstaller.exe.vir Infected: not-a-virusownloader.Win32.WinFixer.o skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\hatydvdm.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP236\A0053371.exe/file01 Infected: Trojan-Downloader.Win32.Agent.alr skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP236\A0053371.exe Inno: infected - 1 skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP238\A0053454.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP238\A0053459.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP238\A0053494.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP238\A0053494.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP238\A0053494.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP238\A0053495.exe Infected: not-a-virus:AdWare.Win32.PurityScan.fz skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP238\A0053503.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP238\A0053504.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP239\A0069605.exe/file01 Infected: Trojan-Downloader.Win32.Agent.alr skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP239\A0069605.exe Inno: infected - 1 skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP239\A0069609.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP240\A0072715.exe/file01 Infected: Trojan-Downloader.Win32.Agent.alr skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP240\A0072715.exe Inno: infected - 1 skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP240\A0074706.exe Infected: Trojan-Downloader.Win32.Agent.djj skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP240\A0074708.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP245\A0077979.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP245\A0077990.exe Infected: Trojan-Downloader.Win32.VB.bgd skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP245\A0077995.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP250\A0079631.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP254\A0079891.exe Infected: not-a-virus:AdWare.Win32.Rond.c skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP254\A0079892.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP255\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:26:41 AM, on 9/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\CDProxyServ.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Dell QuickSet] "C:\Program Files\Dell\QuickSet\quickset.exe "
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by111fd.bay111.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1189658592953
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - First 4 Internet Ltd - C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: dlcd_device - Unknown owner - C:\WINDOWS\system32\dlcdcoms.exe
O23 - Service: dlcx_device - - C:\WINDOWS\system32\dlcxcoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7073 bytes

noahdfear · 2007/09/17

WooHoo! Kaspersky scan looks great!

Delete those two uumm folders.
Delete all of the following tools we have used, and the files/folders they created.

C:\ComboFix
C:\QOOBOX
C:\VundoFix Backups
C:\WINDOWS\nircmd.exe
combofix.exe
vundofix.exe
all combofix and vundofix logs

Download ATF Cleaner by Atribune and save it to your Desktop.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
Recycle bin

The rest are optional - if you want it to remove everything check "Select All ".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

Reboot

If you're satisfied that the computer is working properly, clear the System Restore points. They are infected.

Clear past system restore points and create a new one.
Right click My Computer and select Properties. On the System Restore tab, check the box to turn System Restore off. Click Apply. Now, uncheck the box and click Apply. Click OK, then OK to close the System Properties dialog.

Verify a new restore point was created.
Click Start>All Programs>Accessories>System Tools>System Restore
Select 'Restore my computer to an earlier time', then click next.
You should have a newly created System Checkpoint available. If so, click Cancel. If not, click Back and select 'Create a restore point' then click Next. Give the restore point a name and click next.

Your computer is now clean! Geri has posted some very helpful information and recommendations regarding future protection in the following link.

http://www.windowsbbs.com/showpost.php?p=356653&postcount=49

Surf safe!

ktongg · 2007/09/18

Thank you SOOOOO much. You have been very helpful!

noahdfear · 2007/09/18

My pleasure. Glad I could help.

Log in or Sign up

Solved Help with Troj/Bckdr-QJL virus

ktongg Inactive Thread Starter

noahdfear Inactive

ktongg Inactive Thread Starter

noahdfear Inactive

ktongg Inactive Thread Starter

noahdfear Inactive

ktongg Inactive Thread Starter

noahdfear Inactive

ktongg Inactive Thread Starter

noahdfear Inactive

ktongg Inactive Thread Starter

noahdfear Inactive

ktongg Inactive Thread Starter

noahdfear Inactive

ktongg Inactive Thread Starter

noahdfear Inactive

ktongg Inactive Thread Starter

noahdfear Inactive

Share This Page

Log in or Sign up

Solved Help with Troj/Bckdr-QJL virus

ktongg Inactive Thread Starter

noahdfear Inactive

ktongg Inactive Thread Starter

noahdfear Inactive

ktongg Inactive Thread Starter

noahdfear Inactive

ktongg Inactive Thread Starter

noahdfear Inactive

ktongg Inactive Thread Starter

noahdfear Inactive

ktongg Inactive Thread Starter

noahdfear Inactive

ktongg Inactive Thread Starter

noahdfear Inactive

ktongg Inactive Thread Starter

noahdfear Inactive

ktongg Inactive Thread Starter

noahdfear Inactive

Share This Page

Useful Searches