Solved Trojan problem, please help, thanks!

[Resolved]Trojan problem, please help, thanks!

Hello, I turned on my computer today and found that I can't open or run most of my programs. I keep getting "C:\WINDOWS\system32\drivers\spools.exe
The NTVDM CPU has encountered an illegal instruction.
CS:0dca IP:-13d OP:f0 85 38 90 3a Choose 'Close' to terminate the application." I speculate it might have to do with a program I downloaded last night. >.<

I browsed through other topics with the same problem and downloaded SmitfraudFix, HiJackThis and Deckard's System Scanner, hoping I could get a log to help facilitate this process, but I couldn't even get those 3 programs to run (I downloaded them but can't run them). I tried to scan (McAfee) and used system restore but nothing helped. Fortunately, I can still use Firefox (through Start) to search for help. Is there any other way to get rid of this trojan if I can't run those 3 programs and get a log?

I currently have no money to bring it to a pc center to get it fixed professionally so I'm going to try and fix it myself. Any help will be much appreciated, thanks!!!

 

Hi zepheryn
Welcome to Windowsbbs.

Please do the following.

Using Windows Explorer (to get there right-click your Start button and go to "Explore "), please delete these files (if present):

C:\WINDOWS\system32\drivers\spools.exe

Now please try to run and post a HJT log and a dss log.

Do not run smitfraud.

Thanks
Geri

 

Hiya, thanks for the reply. I do have that file and tried to delete the spools.exe but it keeps on saying "Cannot delete spools: It is being used by another person or program." I closed every program and even tried it in safe mode, but it still wouldn't let me delete it. What should I do? Thanks!

 

Hi
Lets see if safe mode will work.

Reboot into safe mode.
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Then try to delete it and post the logs.

Thanks
Geri

 

I also tried it in safe mode, but it still wouldn't let me delete it >.<

 

Hi
OK Lets try this.

Download Unlocker
Once installed:
Locate the file > C:\WINDOWS\system32\drivers\spools.exe
Right-click and select 'Unlocker'
In the window that appears select 'Unlock All'
In the drop down menu select 'delete'.

Let me know if that worked.

Thanks
Geri

 

Hiya, sorry to keep troubling you ^^;

I downloaded Unlocker but can't get it to open and install. I tried using Run from the Start menu but that didn't work either.

I then rebooted and tried to open it in safe mode, but failed also. I guess the problem at the beginning was that spools.exe keeps interrupting my opening of programs :X

Quick question: if I were to reformat my computer, will the computer be reset back to its original state when it came to me or do I need professionals to install all the basic programs again? I bought this computer new (with no MicroSoft Office package, it only has NotePad and other basic accessories) from Dell, if this helps...

Thanks so much for your time!

 

Hi
OK I don't believe a reformat is necessary, at this point anyway.

I have no problem trying to work this out if you want to keep trying.

If I can't, I know someone who will come here and figure this out.

Let me know if you wish to keep trying.

If you wish to keep going then lets try this.

Go to the file, right click on it and click "Rename ".

Rename it spools.old OK any prompts.

If it will rename try the scans again.

What version of Windows are you running? XP or Vista?

Geri

 

Hi there,

I'm willing to try ^.^

I tried to rename it but won't let me. I'm using XP home edition, don't remember about other specs and won't let me check the properties from My Computer.

Thanks a bunch!

 

Hi

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.under Files and Folders
make sure Hide extensions for known file types is NOT checked.
If it is uncheck it click Apply then OK

Close those windows.

Download the exe fix from here.
Extract the file from the zip and double click (it's a reg file) to merge with the registry. If windows does not know what program to open it with, browse to and select C:\Windows\regedit.exe and it should merge with the registry.


Now lets run ComboFix.

Download ComboFix from [color= "Red"]Here[/color] to your Desktop.

It's best to disable realtime protection applications as they sometimes interfere with the tool.
Check this link for any applicable programs you may have.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• Vista users right click Combofix.exe and select Run As Administrator.
• When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Note - ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note - Combofix makes some changes when run to prevent autorun/autoplay of ALL CDs, floppies and USB devices, to assist with malware removal & increase security. If this is an issue or makes it difficult for you to use those devices, please ask how to reset it.


Let me know.

Thanks
Geri

 

This is my ComboFix log, working on HiJackThis log next ^^

By the way, I noticed when my computer rebooted, the annoying "C:\WINDOWS\system32\drivers\spools.exe" windows don't pop up anymore, I'm so excited

ComboFix 08-04-13.1 - Jenny 2008-04-13 15:11:44.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1599 [GMT -7:00]
Running from: C:\Documents and Settings\Jenny\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
/wow section - STAGE 35
pv: No matching processes found
'TIEBHOCom' is not recognized as an internal or external command
grep: (standard input): Not enough space

TimedOut: progfile.dat

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Jenny\Favorites\.url
C:\WINDOWS\1.exe
C:\WINDOWS\17PHolmes22.exe
C:\WINDOWS\17PHolmes321.exe
C:\WINDOWS\17PHolmes403.exe
C:\WINDOWS\acdsee321.dll
C:\WINDOWS\dodolook636.exe
C:\WINDOWS\system32\drivers\acpidisk.sys
C:\WINDOWS\system32\drivers\spools.exe
C:\WINDOWS\system32\mprmsgse.axz
C:\WINDOWS\system32\mscpx32r.det

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ACPIDISK
-------\Service_acpidisk
-------\Legacy_Schedule
-------\Schedule


((((((((((((((((((((((((( Files Created from 2008-03-13 to 2008-04-13 )))))))))))))))))))))))))))))))
.

2008-04-12 22:59 . 2008-04-12 22:59 242,313 --a------ C:\unlocker1.8.6.exe
2008-04-12 20:50 . 2008-04-12 20:50 <DIR> d--h----- C:\WINDOWS\PIF
2008-04-12 19:26 . 2008-04-12 19:31 <DIR> d-------- C:\HJT
2008-04-12 19:19 . 2008-04-12 19:18 686,630 --a------ C:\dss.exe
2008-04-12 18:25 . 2008-04-12 18:25 <DIR> d-------- C:\Program Files\NetProject
2008-04-12 18:20 . 2008-04-12 18:21 1,307,888 --a------ C:\SmitfraudFix.exe
2008-04-12 18:11 . 2008-04-12 18:09 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-12 18:09 . 2008-04-12 18:25 <DIR> d-------- C:\Documents and Settings\Jenny\.housecall6.6
2008-04-12 16:07 . 2008-04-12 16:07 573,440 --a------ C:\WINDOWS\Setup802.exe
2008-04-12 16:06 . 2008-04-12 16:06 63,493 --a------ C:\WINDOWS\guyi-emply.exe
2008-04-12 16:06 . 2008-04-12 16:06 58,880 --a------ C:\kqkmnh.exe
2008-04-12 16:06 . 2008-04-12 16:06 55,218 --a------ C:\WINDOWS\zeqbqwp.sys
2008-04-12 16:06 . 2008-04-12 16:06 25,875 --a------ C:\Program Files\Common Files\m2.exe
2008-04-12 16:06 . 2008-04-12 16:06 22,016 --a------ C:\WINDOWS\system32\ccwld16_080412.dll
2008-04-12 16:06 . 2008-04-12 16:06 15,978 --a------ C:\Documents and Settings\Jenny\cftmon.exe
2008-04-12 16:06 . 2008-04-12 16:06 13,312 --a------ C:\becc.exe
2008-04-12 16:06 . 2008-04-12 16:06 4,096 --a------ C:\yfwerj.exe
2008-04-12 16:06 . 2008-04-12 16:07 218 --a------ C:\WINDOWS\ccwl16.ini
2008-04-12 16:06 . 2008-04-12 16:06 48 --a------ C:\smp.bat
2008-04-12 16:06 . 2008-04-12 16:06 2 --a------ C:\-1808455753
2008-04-11 22:40 . 2008-04-11 22:40 222,720 --a------ C:\WINDOWS\system32\qelksqpucieqg.dll
2008-04-11 22:39 . 2008-04-11 22:39 222,720 --a------ C:\WINDOWS\system32\oerniratgkdqj.dll
2008-04-11 22:39 . 2008-04-12 16:07 160 --a------ C:\WINDOWS\system32\resiifers.ini
2008-04-01 21:11 . 2008-04-01 21:11 <DIR> d-------- C:\Program Files\AutoHotkey
2008-04-01 20:42 . 2008-04-01 20:43 <DIR> d-------- C:\Program Files\Macro Express3
2008-04-01 20:42 . 2008-04-01 20:42 <DIR> d-------- C:\Program Files\Common Files\Insight Software Solutions
2008-04-01 20:42 . 2008-04-01 20:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Insight Software Solutions
2008-04-01 20:42 . 2008-04-01 20:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Insight Software
2008-03-29 22:01 . 2008-04-01 21:11 <DIR> d-------- C:\WINDOWS\ShellNew
2008-03-29 22:01 . 2008-03-29 22:01 <DIR> d-------- C:\Program Files\AutoIt3
2008-03-29 13:30 . 2008-03-29 13:30 754 --a------ C:\WINDOWS\WORDPAD.INI
2008-03-21 23:50 . 2008-04-05 13:19 83,160 --a------ C:\WINDOWS\system32\drivers\scskusbs.sys
2008-03-21 23:50 . 2008-04-05 13:19 19,504 --a------ C:\WINDOWS\system32\drivers\scskusbf.sys
2008-03-21 23:15 . 2008-03-21 23:15 <DIR> d-------- C:\Program Files\KRU

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-13 20:21 --------- d-----w C:\Program Files\McAfee
2008-04-04 00:49 --------- d-----w C:\Program Files\Tudou
2008-03-15 01:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Outspark
2008-03-10 03:03 --------- d-----w C:\Documents and Settings\Jenny\Application Data\dvdcss
2008-03-07 06:37 --------- d-----w C:\Program Files\Common Files\DirectX
2008-03-07 06:23 --------- d-----w C:\Program Files\Outspark
2008-03-07 03:55 --------- d-----w C:\Program Files\SystemRequirementsLab
2008-03-07 03:55 --------- d-----w C:\Documents and Settings\Jenny\Application Data\SystemRequirementsLab
2008-03-04 02:20 --------- d-----w C:\Documents and Settings\Jenny\Application Data\968 Series
2008-03-01 05:56 --------- d-----w C:\Documents and Settings\Jenny\Application Data\Corel
2008-03-01 05:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Corel
2008-03-01 05:35 --------- d-----w C:\Program Files\Dell 968 AIO Printer
2008-03-01 05:35 --------- d-----w C:\Program Files\Corel
2008-03-01 05:35 --------- d-----w C:\Program Files\Common Files\Corel
2008-03-01 05:35 --------- d-----w C:\Program Files\Abbyy FineReader 6.0 Sprint
2008-03-01 05:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\968 Series
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7c109800-a5d5-438f-9640-18d17e168b88}]
2008-04-12 16:07 10240 --a------ C:\Program Files\NetProject\sbmdl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{51D81DD5-55B7-497F-95DB-D356429BB54E} "= "C:\Program Files\NetProject\wamdl.dll" [2008-04-12 16:07 86528]

[HKEY_CLASSES_ROOT\clsid\{51d81dd5-55b7-497f-95db-d356429bb54e}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{51D81DD5-55B7-497F-95DB-D356429BB54E} "= C:\Program Files\NetProject\wamdl.dll [2008-04-12 16:07 86528]

[HKEY_CLASSES_ROOT\clsid\{51d81dd5-55b7-497f-95db-d356429bb54e}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport "= "C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 04:00 15360]
"iTudouAutoStart "= "C:\Program Files\Tudou\iTudou\iTudou.exe" [2007-11-21 19:21 958464]
"TudouVAStart "= "C:\Program Files\Tudou\TudouVA.exe" [2008-04-03 17:48 995008]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray "= "C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 13:01 67584]
"NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776]
"SigmatelSysTrayApp "= "stsystra.exe" [2007-04-12 04:16 282624 C:\WINDOWS\stsystra.exe]
"ISUSPM Startup "= "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30 249856]
"ISUSScheduler "= "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30 81920]
"RoxWatchTray "= "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 10:22 221184]
"RoxioDragToDisc "= "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 08:00 1116920]
"PDVDDXSrv "= "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 16:23 118784]
"dscactivate "= "c:\dell\dsca.exe" [2007-07-30 03:40 16384]
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06 40048]
"mcagent_exe "= "C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 23:33 582992]
"TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-17 14:18 185896]
"IMJPMIG8.1 "= "C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-10 04:00 208952]
"IMEKRMIG6.1 "= "C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 04:00 44032]
"MSPY2002 "= "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 04:00 59392]
"PHIME2002ASync "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 04:00 455168]
"PHIME2002A "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 04:00 455168]
"dldomon.exe "= "C:\Program Files\Dell 968 AIO Printer\dldomon.exe" [2007-10-05 06:30 455920]
"MemoryCardManager "= "C:\Program Files\Dell 968 AIO Printer\memcard.exe" [2007-10-05 06:30 410864]
"Dell 968 AIO Printer Fax Server "= "C:\Program Files\Dell 968 AIO Printer\fm3032.exe" [2007-10-05 06:31 312560]
"nwiz "= "nwiz.exe" [2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter "= "C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 02:41 81920]
"Corel Photo Downloader "= "C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe" [2007-03-21 02:33 478800]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator "= "Narrator.exe" [2004-08-10 04:00 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Macro Express 3.lnk - C:\Program Files\Macro Express3\MacExp.exe [2008-04-01 20:42:52 3533312]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle "= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme "= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"ccwl "= rundll32.exe C:\WINDOWS\system32\ccwld16_080412.dll ccwl16

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe "=
"C:\\Program Files\\Messenger\\msmsgs.exe "=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe "=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldopswx.exe "=
"C:\\WINDOWS\\system32\\dldocoms.exe "=
"C:\\Program Files\\Dell 968 AIO Printer\\dldomon.exe "=
"C:\\Program Files\\Dell 968 AIO Printer\\dldoaiox.exe "=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldojswx.exe "=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldotime.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"11965:TCP "= 11965:TCP:*isabled:SolidNetworkManager
"11965:UDP "= 11965:UDP:*isabled:SolidNetworkManager
"22038:TCP "= 22038:TCP:*isabled:SolidNetworkManager
"22038:UDP "= 22038:UDP:*isabled:SolidNetworkManager
"65107:TCP "= 65107:TCP:*isabled:SolidNetworkManager
"65107:UDP "= 65107:UDP:*isabled:SolidNetworkManager

R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-11 09:35]
R2 dldo_device;dldo_device;C:\WINDOWS\system32\dldocoms.exe [2007-10-05 14:30]
R3 scskusbf;USB SCSK Filter Driver Service;C:\WINDOWS\system32\drivers\scskusbf.sys [2008-04-05 13:19]
S2 dldoCATSCustConnectService;dldoCATSCustConnectService;C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\dldoserv.exe [2007-10-05 14:30]
S3 scskusbs;USB SCSK Driver Service;C:\WINDOWS\system32\drivers\scskusbs.sys [2008-04-05 13:19]
S3 XDva098;XDva098;C:\WINDOWS\system32\XDva098.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-03-15 08:00:00 C:\WINDOWS\Tasks\McDefragTask.job "
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-03-01 09:00:00 C:\WINDOWS\Tasks\McQcTask.job "
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-13 15:15:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\McAfee\MSK\msksrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
.
**************************************************************************
.
Completion time: 2008-04-13 15:18:09 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-13 22:18:03
Pre-Run: 140,939,980,800 bytes free
Post-Run: 140,868,923,392 bytes free
.
2008-04-09 03:33:30 --- E O F ---

 

My HJT log file:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:22:35 PM, on 4/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dldocoms.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell 968 AIO Printer\dldomon.exe
C:\Program Files\Dell 968 AIO Printer\memcard.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Tudou\TudouVA.exe
C:\Program Files\Macro Express3\MacExp.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3071109
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9415/tudouva.pac
O2 - BHO: (no name) - {7c109800-a5d5-438f-9640-18d17e168b88} - C:\Program Files\NetProject\sbmdl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing)
O3 - Toolbar: Internet Service - {51D81DD5-55B7-497F-95DB-D356429BB54E} - C:\Program Files\NetProject\wamdl.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe "
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe "
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe "
O4 - HKLM\..\Run: [dscactivate] c:\dell\dsca.exe 3
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [dldomon.exe] "C:\Program Files\Dell 968 AIO Printer\dldomon.exe "
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell 968 AIO Printer\memcard.exe "
O4 - HKLM\..\Run: [Dell 968 AIO Printer Fax Server] "C:\Program Files\Dell 968 AIO Printer\fm3032.exe" /s
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [iTudouAutoStart] C:\Program Files\Tudou\iTudou\iTudou.exe -AutoStart
O4 - HKCU\..\Run: [TudouVAStart] C:\Program Files\Tudou\TudouVA.exe
O4 - HKLM\..\Policies\Explorer\Run: [ccwl] rundll32.exe C:\WINDOWS\system32\ccwld16_080412.dll ccwl16
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Macro Express 3.lnk = C:\Program Files\Macro Express3\MacExp.exe
O8 - Extra context menu item: ʹÓÃiTudouÃÂÔؽÚÄ¿ - C:\Program Files\Tudou\iTudou\iTudou_Link.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {9034a523-d068-4be8-a284-9df278be776e} - http://www.ieservicegate.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034a523-d068-4be8-a284-9df278be776e} - http://www.ieservicegate.com/redirect.php (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: dldoCATSCustConnectService - Unknown owner - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\dldoserv.exe
O23 - Service: dldo_device - - C:\WINDOWS\system32\dldocoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O24 - Desktop Component 0: (no name) - http://www.angelden.net/volks/sd16/images/amelia17.jpg
O24 - Desktop Component 1: (no name) - http://www.angelden.net/volks/sd16/images/olivia06.jpg
O24 - Desktop Component 2: (no name) - http://www.angelden.net/volks/sd16/images/yukinojou06.jpg
O24 - Desktop Component 3: (no name) - http://www.angelden.net/volks/sd13/images/cyndy2nd04.jpg
O24 - Desktop Component 4: (no name) - http://www.angelden.net/volks/sd13/images/isao2nd04.jpg
O24 - Desktop Component 5: (no name) - http://www.angelden.net/volks/tenshi/images/sakaki06.jpg
O24 - Desktop Component 6: (no name) - http://www.angelden.net/volks/sd13/images/heath02.jpg
O24 - Desktop Component 7: (no name) - http://www.angelden.net/volks/sd16/images/amelia10.jpg
O24 - Desktop Component 8: (no name) - http://www.angelden.net/volks/sd13/images/lucas-blackcat03.jpg
O24 - Desktop Component 9: (no name) - http://www.angelden.net/volks/sd13/images/chris-whitecat03.jpg

--
End of file - 9680 bytes

 

Hmmm... I posted both of the logs but am waiting for admin to ok them ^^;

But the good thing is I can install the ComboFix and HiJackThis and open other programs now

 

Hi zepheryn

OK please do this.

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
Click here to see how to use CFScript.txt
Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and another fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Code:

File::
C:\WINDOWS\guyi-emply.exe
C:\kqkmnh.exe
C:\WINDOWS\zeqbqwp.sys
C:\Program Files\Common Files\m2.exe
C:\WINDOWS\system32\ccwld16_080412.dll
C:\Documents and Settings\Jenny\cftmon.exe
C:\becc.exe
C:\WINDOWS\ccwl16.ini
C:\smp.bat
C:\WINDOWS\system32\qelksqpucieqg.dll
C:\WINDOWS\system32\oerniratgkdqj.dll
C:\WINDOWS\system32\resiifers.ini
C:\-1808455753

Folder::
C:\Program Files\NetProject

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7c109800-a5d5-438f-9640-18d17e168b88}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
 "{51D81DD5-55B7-497F-95DB-D356429BB54E} "=-
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
 "{51D81DD5-55B7-497F-95DB-D356429BB54E} "=-
[-HKEY_CLASSES_ROOT\clsid\{51d81dd5-55b7-497f-95db-d356429bb54e}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
 "ccwl "=- 

Please post the CFScript log.

Also I would like to see a Deckard System Scanner log.

Please download Deckard's System Scanner (dss.exe) and save it to your Desktop.
Note: You must be logged onto an account with administrator privileges to complete the following.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy and then paste the contents of main.txt and extra.txt in your next reply.

Please post the “main.txt” log only for now.


Thanks
Geri

 

ComboFix 08-04-13.1 - Jenny 2008-04-13 19:06:15.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1485 [GMT -7:00]
Running from: C:\Documents and Settings\Jenny\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jenny\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\-1808455753
C:\becc.exe
C:\Documents and Settings\Jenny\cftmon.exe
C:\kqkmnh.exe
C:\Program Files\Common Files\m2.exe
C:\smp.bat
C:\WINDOWS\ccwl16.ini
C:\WINDOWS\guyi-emply.exe
C:\WINDOWS\system32\ccwld16_080412.dll
C:\WINDOWS\system32\oerniratgkdqj.dll
C:\WINDOWS\system32\qelksqpucieqg.dll
C:\WINDOWS\system32\resiifers.ini
C:\WINDOWS\zeqbqwp.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\-1808455753
C:\becc.exe
C:\Documents and Settings\Jenny\cftmon.exe
C:\kqkmnh.exe
C:\Program Files\Common Files\m2.exe
C:\Program Files\NetProject
C:\Program Files\NetProject\ot.ico
C:\Program Files\NetProject\sbmdl.dll
C:\Program Files\NetProject\sbmntr.exe
C:\Program Files\NetProject\sbsm.exe
C:\Program Files\NetProject\sbun.exe
C:\Program Files\NetProject\scit.exe
C:\Program Files\NetProject\scm.exe
C:\Program Files\NetProject\scu.exe
C:\Program Files\NetProject\ts.ico
C:\Program Files\NetProject\wamdl.dll
C:\Program Files\NetProject\waun.exe
C:\smp.bat
C:\WINDOWS\ccwl16.ini
C:\WINDOWS\guyi-emply.exe
C:\WINDOWS\system32\ccwld16_080412.dll
C:\WINDOWS\system32\oerniratgkdqj.dll
C:\WINDOWS\system32\qelksqpucieqg.dll
C:\WINDOWS\system32\resiifers.ini
C:\WINDOWS\zeqbqwp.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ACPIDISK
-------\zeqbqwp


((((((((((((((((((((((((( Files Created from 2008-03-14 to 2008-04-14 )))))))))))))))))))))))))))))))
.

2008-04-13 15:22 . 2008-04-13 15:22 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-12 22:59 . 2008-04-12 22:59 242,313 --a------ C:\unlocker1.8.6.exe
2008-04-12 20:50 . 2008-04-12 20:50 <DIR> d--h----- C:\WINDOWS\PIF
2008-04-12 19:26 . 2008-04-12 19:31 <DIR> d-------- C:\HJT
2008-04-12 19:19 . 2008-04-12 19:18 686,630 --a------ C:\dss.exe
2008-04-12 18:20 . 2008-04-12 18:21 1,307,888 --a------ C:\SmitfraudFix.exe
2008-04-12 18:11 . 2008-04-12 18:09 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-12 18:09 . 2008-04-12 18:25 <DIR> d-------- C:\Documents and Settings\Jenny\.housecall6.6
2008-04-12 16:07 . 2008-04-12 16:07 573,440 --a------ C:\WINDOWS\Setup802.exe
2008-04-12 16:06 . 2008-04-12 16:06 4,096 --a------ C:\yfwerj.exe
2008-04-01 21:11 . 2008-04-01 21:11 <DIR> d-------- C:\Program Files\AutoHotkey
2008-04-01 20:42 . 2008-04-01 20:43 <DIR> d-------- C:\Program Files\Macro Express3
2008-04-01 20:42 . 2008-04-01 20:42 <DIR> d-------- C:\Program Files\Common Files\Insight Software Solutions
2008-04-01 20:42 . 2008-04-01 20:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Insight Software Solutions
2008-04-01 20:42 . 2008-04-01 20:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Insight Software
2008-03-29 22:01 . 2008-04-01 21:11 <DIR> d-------- C:\WINDOWS\ShellNew
2008-03-29 22:01 . 2008-03-29 22:01 <DIR> d-------- C:\Program Files\AutoIt3
2008-03-29 13:30 . 2008-03-29 13:30 754 --a------ C:\WINDOWS\WORDPAD.INI
2008-03-21 23:50 . 2008-04-05 13:19 83,160 --a------ C:\WINDOWS\system32\drivers\scskusbs.sys
2008-03-21 23:50 . 2008-04-05 13:19 19,504 --a------ C:\WINDOWS\system32\drivers\scskusbf.sys
2008-03-21 23:15 . 2008-03-21 23:15 <DIR> d-------- C:\Program Files\KRU

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-13 20:21 --------- d-----w C:\Program Files\McAfee
2008-04-04 00:49 --------- d-----w C:\Program Files\Tudou
2008-03-15 01:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Outspark
2008-03-10 03:03 --------- d-----w C:\Documents and Settings\Jenny\Application Data\dvdcss
2008-03-07 06:37 --------- d-----w C:\Program Files\Common Files\DirectX
2008-03-07 06:23 --------- d-----w C:\Program Files\Outspark
2008-03-07 03:55 --------- d-----w C:\Program Files\SystemRequirementsLab
2008-03-07 03:55 --------- d-----w C:\Documents and Settings\Jenny\Application Data\SystemRequirementsLab
2008-03-04 02:20 --------- d-----w C:\Documents and Settings\Jenny\Application Data\968 Series
2008-03-01 05:56 --------- d-----w C:\Documents and Settings\Jenny\Application Data\Corel
2008-03-01 05:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Corel
2008-03-01 05:35 --------- d-----w C:\Program Files\Dell 968 AIO Printer
2008-03-01 05:35 --------- d-----w C:\Program Files\Corel
2008-03-01 05:35 --------- d-----w C:\Program Files\Common Files\Corel
2008-03-01 05:35 --------- d-----w C:\Program Files\Abbyy FineReader 6.0 Sprint
2008-03-01 05:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\968 Series
.

((((((((((((((((((((((((((((( snapshot@2008-04-13_15.17.54.01 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-13 22:15:11 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-14 02:08:44 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-04-13 19:20:04 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-04-14 00:31:30 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-04-13 19:20:04 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-14 00:31:30 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-04-13 19:20:04 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-14 00:31:30 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-04-13 20:25:46 53,436 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-04-13 22:19:34 53,436 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-04-13 20:25:46 381,692 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-13 22:19:34 381,692 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport "= "C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 04:00 15360]
"iTudouAutoStart "= "C:\Program Files\Tudou\iTudou\iTudou.exe" [2007-11-21 19:21 958464]
"TudouVAStart "= "C:\Program Files\Tudou\TudouVA.exe" [2008-04-03 17:48 995008]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray "= "C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 13:01 67584]
"NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776]
"SigmatelSysTrayApp "= "stsystra.exe" [2007-04-12 04:16 282624 C:\WINDOWS\stsystra.exe]
"ISUSPM Startup "= "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30 249856]
"ISUSScheduler "= "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30 81920]
"RoxWatchTray "= "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 10:22 221184]
"RoxioDragToDisc "= "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 08:00 1116920]
"PDVDDXSrv "= "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 16:23 118784]
"dscactivate "= "c:\dell\dsca.exe" [2007-07-30 03:40 16384]
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06 40048]
"mcagent_exe "= "C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 23:33 582992]
"TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-17 14:18 185896]
"IMJPMIG8.1 "= "C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-10 04:00 208952]
"IMEKRMIG6.1 "= "C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 04:00 44032]
"MSPY2002 "= "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 04:00 59392]
"PHIME2002ASync "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 04:00 455168]
"PHIME2002A "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 04:00 455168]
"dldomon.exe "= "C:\Program Files\Dell 968 AIO Printer\dldomon.exe" [2007-10-05 06:30 455920]
"MemoryCardManager "= "C:\Program Files\Dell 968 AIO Printer\memcard.exe" [2007-10-05 06:30 410864]
"Dell 968 AIO Printer Fax Server "= "C:\Program Files\Dell 968 AIO Printer\fm3032.exe" [2007-10-05 06:31 312560]
"nwiz "= "nwiz.exe" [2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter "= "C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 02:41 81920]
"Corel Photo Downloader "= "C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe" [2007-03-21 02:33 478800]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator "= "Narrator.exe" [2004-08-10 04:00 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Macro Express 3.lnk - C:\Program Files\Macro Express3\MacExp.exe [2008-04-01 20:42:52 3533312]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle "= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme "= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe "=
"C:\\Program Files\\Messenger\\msmsgs.exe "=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe "=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldopswx.exe "=
"C:\\WINDOWS\\system32\\dldocoms.exe "=
"C:\\Program Files\\Dell 968 AIO Printer\\dldomon.exe "=
"C:\\Program Files\\Dell 968 AIO Printer\\dldoaiox.exe "=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldojswx.exe "=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldotime.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"11965:TCP "= 11965:TCP:*isabled:SolidNetworkManager
"11965:UDP "= 11965:UDP:*isabled:SolidNetworkManager
"22038:TCP "= 22038:TCP:*isabled:SolidNetworkManager
"22038:UDP "= 22038:UDP:*isabled:SolidNetworkManager
"65107:TCP "= 65107:TCP:*isabled:SolidNetworkManager
"65107:UDP "= 65107:UDP:*isabled:SolidNetworkManager

R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-11 09:35]
R2 dldo_device;dldo_device;C:\WINDOWS\system32\dldocoms.exe [2007-10-05 14:30]
R3 scskusbf;USB SCSK Filter Driver Service;C:\WINDOWS\system32\drivers\scskusbf.sys [2008-04-05 13:19]
S2 dldoCATSCustConnectService;dldoCATSCustConnectService;C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\dldoserv.exe [2007-10-05 14:30]
S3 scskusbs;USB SCSK Driver Service;C:\WINDOWS\system32\drivers\scskusbs.sys [2008-04-05 13:19]
S3 XDva098;XDva098;C:\WINDOWS\system32\XDva098.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-03-15 08:00:00 C:\WINDOWS\Tasks\McDefragTask.job "
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-03-01 09:00:00 C:\WINDOWS\Tasks\McQcTask.job "
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-13 19:09:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\McAfee\MSK\msksrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
.
**************************************************************************
.
Completion time: 2008-04-13 19:11:50 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-14 02:11:44
ComboFix2.txt 2008-04-13 22:18:09
Pre-Run: 140,860,350,464 bytes free
Post-Run: 140,847,083,520 bytes free
.
2008-04-09 03:33:30 --- E O F ---

 

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:14:13 PM, on 4/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\dldocoms.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell 968 AIO Printer\dldomon.exe
C:\Program Files\Dell 968 AIO Printer\memcard.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Tudou\TudouVA.exe
C:\Program Files\Macro Express3\MacExp.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3071109
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9415/tudouva.pac
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe "
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe "
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe "
O4 - HKLM\..\Run: [dscactivate] c:\dell\dsca.exe 3
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [dldomon.exe] "C:\Program Files\Dell 968 AIO Printer\dldomon.exe "
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell 968 AIO Printer\memcard.exe "
O4 - HKLM\..\Run: [Dell 968 AIO Printer Fax Server] "C:\Program Files\Dell 968 AIO Printer\fm3032.exe" /s
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [iTudouAutoStart] C:\Program Files\Tudou\iTudou\iTudou.exe -AutoStart
O4 - HKCU\..\Run: [TudouVAStart] C:\Program Files\Tudou\TudouVA.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Macro Express 3.lnk = C:\Program Files\Macro Express3\MacExp.exe
O8 - Extra context menu item: ʹÓÃiTudouÃÂÔؽÚÄ¿ - C:\Program Files\Tudou\iTudou\iTudou_Link.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {9034a523-d068-4be8-a284-9df278be776e} - http://www.ieservicegate.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034a523-d068-4be8-a284-9df278be776e} - http://www.ieservicegate.com/redirect.php (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: dldoCATSCustConnectService - Unknown owner - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\dldoserv.exe
O23 - Service: dldo_device - - C:\WINDOWS\system32\dldocoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O24 - Desktop Component 0: (no name) - http://www.angelden.net/volks/sd16/images/amelia17.jpg
O24 - Desktop Component 1: (no name) - http://www.angelden.net/volks/sd16/images/olivia06.jpg
O24 - Desktop Component 2: (no name) - http://www.angelden.net/volks/sd16/images/yukinojou06.jpg
O24 - Desktop Component 3: (no name) - http://www.angelden.net/volks/sd13/images/cyndy2nd04.jpg
O24 - Desktop Component 4: (no name) - http://www.angelden.net/volks/sd13/images/isao2nd04.jpg
O24 - Desktop Component 5: (no name) - http://www.angelden.net/volks/tenshi/images/sakaki06.jpg
O24 - Desktop Component 6: (no name) - http://www.angelden.net/volks/sd13/images/heath02.jpg
O24 - Desktop Component 7: (no name) - http://www.angelden.net/volks/sd16/images/amelia10.jpg
O24 - Desktop Component 8: (no name) - http://www.angelden.net/volks/sd13/images/lucas-blackcat03.jpg
O24 - Desktop Component 9: (no name) - http://www.angelden.net/volks/sd13/images/chris-whitecat03.jpg

--
End of file - 9372 bytes

 

Deckard's System Scanner v20071014.68
Run by Jenny on 2008-04-13 19:15:31
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
74: 2008-04-14 02:15:35 UTC - RP128 - Deckard's System Scanner Restore Point
73: 2008-04-14 02:06:01 UTC - RP127 - ComboFix created restore point
72: 2008-04-13 22:11:28 UTC - RP126 - ComboFix created restore point
71: 2008-04-13 01:24:41 UTC - RP125 - Restore Operation
70: 2008-04-11 02:02:58 UTC - RP124 - Post-Dell Automated PC TuneUp


-- First Restore Point --
1: 2008-01-09 06:08:13 UTC - RP55 - Software Distribution Service 3.0


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Jenny.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:16:03 PM, on 4/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\dldocoms.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell 968 AIO Printer\dldomon.exe
C:\Program Files\Dell 968 AIO Printer\memcard.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Tudou\TudouVA.exe
C:\Program Files\Macro Express3\MacExp.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\Documents and Settings\Jenny\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Jenny.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3071109
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9415/tudouva.pac
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe "
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe "
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe "
O4 - HKLM\..\Run: [dscactivate] c:\dell\dsca.exe 3
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [dldomon.exe] "C:\Program Files\Dell 968 AIO Printer\dldomon.exe "
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell 968 AIO Printer\memcard.exe "
O4 - HKLM\..\Run: [Dell 968 AIO Printer Fax Server] "C:\Program Files\Dell 968 AIO Printer\fm3032.exe" /s
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [iTudouAutoStart] C:\Program Files\Tudou\iTudou\iTudou.exe -AutoStart
O4 - HKCU\..\Run: [TudouVAStart] C:\Program Files\Tudou\TudouVA.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Macro Express 3.lnk = C:\Program Files\Macro Express3\MacExp.exe
O8 - Extra context menu item: ʹÓÃiTudouÃÂÔؽÚÄ¿ - C:\Program Files\Tudou\iTudou\iTudou_Link.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {9034a523-d068-4be8-a284-9df278be776e} - http://www.ieservicegate.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034a523-d068-4be8-a284-9df278be776e} - http://www.ieservicegate.com/redirect.php (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: dldoCATSCustConnectService - Unknown owner - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\dldoserv.exe
O23 - Service: dldo_device - - C:\WINDOWS\system32\dldocoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O24 - Desktop Component 0: (no name) - http://www.angelden.net/volks/sd16/images/amelia17.jpg
O24 - Desktop Component 1: (no name) - http://www.angelden.net/volks/sd16/images/olivia06.jpg
O24 - Desktop Component 2: (no name) - http://www.angelden.net/volks/sd16/images/yukinojou06.jpg
O24 - Desktop Component 3: (no name) - http://www.angelden.net/volks/sd13/images/cyndy2nd04.jpg
O24 - Desktop Component 4: (no name) - http://www.angelden.net/volks/sd13/images/isao2nd04.jpg
O24 - Desktop Component 5: (no name) - http://www.angelden.net/volks/tenshi/images/sakaki06.jpg
O24 - Desktop Component 6: (no name) - http://www.angelden.net/volks/sd13/images/heath02.jpg
O24 - Desktop Component 7: (no name) - http://www.angelden.net/volks/sd16/images/amelia10.jpg
O24 - Desktop Component 8: (no name) - http://www.angelden.net/volks/sd13/images/lucas-blackcat03.jpg
O24 - Desktop Component 9: (no name) - http://www.angelden.net/volks/sd13/images/chris-whitecat03.jpg

--
End of file - 9377 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 APPDRV - c:\windows\system32\drivers\appdrv.sys <Not Verified; Dell Inc; Application Driver>
R3 catchme - c:\docume~1\jenny\locals~1\temp\catchme.sys (file missing)
R3 DSproct - c:\program files\dellsupport\gtaction\triggers\dsproct.sys <Not Verified; Gteko Ltd.; processt>
R3 scskusbf (USB SCSK Filter Driver Service) - c:\windows\system32\drivers\scskusbf.sys <Not Verified; SoftCamp; SCSKUSBf 4.0.1.6>

S3 EagleNT - c:\windows\system32\drivers\eaglent.sys (file missing)
S3 scskusbs (USB SCSK Driver Service) - c:\windows\system32\drivers\scskusbs.sys <Not Verified; SoftCamp; SCSKUSBs 4.0.1.6>
S3 XDva098 - c:\windows\system32\xdva098.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 ProtexisLicensing - c:\windows\system32\psiservice.exe <Not Verified; ; PSIService>
S3 DSBrokerService - "c:\program files\dellsupport\brkrsvc.exe" <Not Verified; ; Gteko BrkrSvc Application>
S3 stllssvr - "c:\program files\common files\surething shared\stllssvr.exe" <Not Verified; MicroVision Development, Inc.; SureThing CD Labeler>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-03-15 01:00:00 356 --a------ C:\WINDOWS\Tasks\McDefragTask.job
2008-03-01 02:00:00 348 --a------ C:\WINDOWS\Tasks\McQcTask.job


-- Files created between 2008-03-13 and 2008-04-13 -----------------------------

2008-04-13 15:22:20 0 d-------- C:\Program Files\Trend Micro
2008-04-13 15:10:42 68096 --a------ C:\WINDOWS\zip.exe
2008-04-13 15:10:42 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-13 15:10:42 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-13 15:10:42 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-13 15:10:42 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-13 15:10:42 98816 --a------ C:\WINDOWS\sed.exe
2008-04-13 15:10:42 80412 --a------ C:\WINDOWS\grep.exe
2008-04-13 15:10:42 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-12 20:50:54 0 d--h----- C:\WINDOWS\PIF
2008-04-12 19:26:43 0 d-------- C:\HJT
2008-04-12 19:19:23 686630 --a------ C:\dss.exe
2008-04-12 18:20:46 1307888 --a------ C:\SmitfraudFix.exe
2008-04-12 18:09:19 0 d-------- C:\Documents and Settings\Jenny\.housecall6.6
2008-04-12 16:07:12 573440 --a------ C:\WINDOWS\Setup802.exe
2008-04-12 16:06:42 4096 --a------ C:\yfwerj.exe
2008-04-01 21:11:55 0 d-------- C:\Program Files\AutoHotkey
2008-04-01 20:42:56 0 d-------- C:\Documents and Settings\All Users\Application Data\Insight Software
2008-04-01 20:42:56 0 d-------- C:\Documents and Settings\All Users\Application Data\Insight Software Solutions
2008-04-01 20:42:53 0 d-------- C:\Program Files\Common Files\Insight Software Solutions
2008-04-01 20:42:52 0 d-------- C:\Program Files\Macro Express3
2008-03-29 22:01:55 0 d-------- C:\Program Files\AutoIt3
2008-03-29 22:01:52 0 d-------- C:\WINDOWS\ShellNew
2008-03-22 01:07:44 0 d--h----- C:\Documents and Settings\DA\Application Data
2008-03-22 01:07:44 0 d-------- C:\Documents and Settings\DA\Application Data\Roxio
2008-03-21 23:50:51 83160 --a------ C:\WINDOWS\system32\drivers\scskusbs.sys <Not Verified; SoftCamp; SCSKUSBs 4.0.1.6>
2008-03-21 23:50:51 19504 --a------ C:\WINDOWS\system32\drivers\scskusbf.sys <Not Verified; SoftCamp; SCSKUSBf 4.0.1.6>
2008-03-21 23:15:52 0 d-------- C:\Program Files\KRU


-- Find3M Report ---------------------------------------------------------------

2008-04-13 19:06:29 0 d-------- C:\Program Files\Common Files
2008-04-13 15:15:24 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-04-13 13:21:38 0 d-------- C:\Program Files\McAfee
2008-04-03 17:49:02 0 d-------- C:\Program Files\Tudou
2008-03-22 11:36:14 0 d-------- C:\Documents and Settings\Jenny\Application Data\Real
2008-03-09 20:03:16 0 d-------- C:\Documents and Settings\Jenny\Application Data\dvdcss
2008-03-06 23:37:17 0 d-------- C:\Program Files\Common Files\DirectX
2008-03-06 23:23:13 0 d-------- C:\Program Files\Outspark
2008-03-06 20:55:27 0 d-------- C:\Program Files\SystemRequirementsLab
2008-03-06 20:55:21 0 d-------- C:\Documents and Settings\Jenny\Application Data\SystemRequirementsLab
2008-03-03 19:20:24 0 d-------- C:\Documents and Settings\Jenny\Application Data\968 Series
2008-02-29 22:56:58 2516 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-02-29 22:56:53 0 d-------- C:\Documents and Settings\Jenny\Application Data\Corel
2008-02-29 22:55:24 88 -r-hs---- C:\WINDOWS\system32\217748A063.sys
2008-02-29 22:35:44 0 d-------- C:\Program Files\Dell 968 AIO Printer
2008-02-29 22:35:36 0 d-------- C:\Program Files\Common Files\Corel
2008-02-29 22:35:17 0 d-------- C:\Program Files\Corel
2008-02-29 22:35:03 0 d-------- C:\Program Files\Abbyy FineReader 6.0 Sprint
2008-02-09 15:16:56 2074 --a------ C:\WINDOWS\mozver.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray "= "C:\WINDOWS\ehome\ehtray.exe" [09/29/2005 01:01 PM]
"NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [12/05/2007 02:41 AM]
"SigmatelSysTrayApp "= "stsystra.exe" [04/12/2007 04:16 AM C:\WINDOWS\stsystra.exe]
"ISUSPM Startup "= "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [08/11/2005 04:30 PM]
"ISUSScheduler "= "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [08/11/2005 04:30 PM]
"RoxWatchTray "= "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [11/05/2006 10:22 AM]
"RoxioDragToDisc "= "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [08/17/2006 08:00 AM]
"PDVDDXSrv "= "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [10/20/2006 04:23 PM]
"dscactivate "= "c:\dell\dsca.exe" [07/30/2007 03:40 AM]
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [05/11/2007 02:06 AM]
"mcagent_exe "= "C:\Program Files\McAfee.com\Agent\mcagent.exe" [08/03/2007 11:33 PM]
"TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [11/17/2007 02:18 PM]
"IMJPMIG8.1 "= "C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [08/10/2004 04:00 AM]
"IMEKRMIG6.1 "= "C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [08/10/2004 04:00 AM]
"MSPY2002 "= "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [08/10/2004 04:00 AM]
"PHIME2002ASync "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/10/2004 04:00 AM]
"PHIME2002A "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/10/2004 04:00 AM]
"dldomon.exe "= "C:\Program Files\Dell 968 AIO Printer\dldomon.exe" [10/05/2007 06:30 AM]
"MemoryCardManager "= "C:\Program Files\Dell 968 AIO Printer\memcard.exe" [10/05/2007 06:30 AM]
"Dell 968 AIO Printer Fax Server "= "C:\Program Files\Dell 968 AIO Printer\fm3032.exe" [10/05/2007 06:31 AM]
"nwiz "= "nwiz.exe" [12/05/2007 02:41 AM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter "= "C:\WINDOWS\system32\NvMcTray.dll" [12/05/2007 02:41 AM]
"Corel Photo Downloader "= "C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe" [03/21/2007 02:33 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport "= "C:\Program Files\DellSupport\DSAgnt.exe" [03/15/2007 11:09 AM]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 04:00 AM]
"iTudouAutoStart "= "C:\Program Files\Tudou\iTudou\iTudou.exe" [11/21/2007 07:21 PM]
"TudouVAStart "= "C:\Program Files\Tudou\TudouVA.exe" [04/03/2008 05:48 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator "=Narrator.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Macro Express 3.lnk - C:\Program Files\Macro Express3\MacExp.exe [4/1/2008 8:42:52 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle "=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme "=C:\WINDOWS\Resources\Themes\Royale.theme
"DisableRegistryTools "=0 (0x0)
"HideLegacyLogonScripts "=0 (0x0)
"HideLogoffScripts "=0 (0x0)
"RunLogonScriptSync "=1 (0x1)
"RunStartupScriptSync "=1 (0x1)
"HideStartupScripts "=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts "=0 (0x0)
"HideLogoffScripts "=0 (0x0)
"RunLogonScriptSync "=1 (0x1)
"RunStartupScriptSync "=1 (0x1)
"HideStartupScripts "=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=" "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=" "


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe




-- End of Deckard's System Scanner: finished at 2008-04-13 19:16:46 ------------

 

Hi zepheryn

I missed a file to delete, so please do this.

Using Windows Explorer (to get there right-click your Start button and go to "Explore "), please delete these files (if present):

C:\yfwerj.exe

Also I would like a file scanned.


Jotti File Submission:

• Please go to Jotti's malware scan
  
• Copy and paste the following file path into the "File to upload & scan "box on the top of the page:
  
  • C:\WINDOWS\Setup802.exe
• Click on the submit button
  
• Please post the results in your next reply.

Do you know what all the 024's are in your HJT log?
Desktop backrounds?

Please post the Jotti results and let me know about the 024's

Thanks
Geri

 

Hihi,

Deleted C:\yfwerj.exe, and the O24's are my desktop items, I just use them as my background

Jotti results:

Scanner results
Scan taken on 14 Apr 2008 23:58:27 (GMT)
A-Squared
Found nothing
AntiVir
Found TR/Crypt.FKM.Gen
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found Delf.ENN
BitDefender
Found Trojan.Delf.OZH
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found Trojan.MulDrop.origin
F-Prot Antivirus
Found Possibly a new variant of W32/NewMalware-LSU-based!Maximus
F-Secure Anti-Virus
Found Trojan-Downloader.Win32.Agent.mwq
Fortinet
Found nothing
Ikarus
Found Trojan.Delf.OUD
Kaspersky Anti-Virus
Found Trojan-Downloader.Win32.Agent.mwq
NOD32
Found a variant of Win32/Delf.NKI
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found Mal/Heuri-E, Mal/Behav-056, Mal/Behav-010
VirusBuster
Found nothing
VBA32
Found MalwareScope.Trojan-PSW.Game.16

Thanks a bunch!

 

Hi zepheryn

OK looks like we better delete that.

Do as you did the last file you deleted and delete this.

C:\WINDOWS\Setup802.exe

Then do this please.

Download ATF Cleaner by Atribune and save it to your Desktop.
This is a good tool to get rid of the temporary garbage you pick up while surfing the net.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
Recycle bin

The rest are optional - if you want it to remove everything check "Select All ".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

Now a on-lne scan.

Please do an online scan with Kaspersky WebScanner

Click on "Accept" If your pop "“up blocker blocks the ActiveX download, allow it, click on "Accept" again

You will be prompted to install an ActiveX component from Kaspersky, Click Yes or Install.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (if available otherwise Standard)
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will start the program and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

Please post the Kaspersky results.

Thanks
Geri