Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Clcr Problems, Starts Up Slowly, Closes Windows


  • This topic is locked This topic is locked
9 replies to this topic

#1 Sketh

Sketh

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:26 PM

Posted 08 August 2007 - 08:19 AM

***If this topic was posted twice, I'm sorry. The virus had closed one topic right after "posting" and I believe it was done before it actually finished.***




Somehow this computer I'm on got terribly messed up while I was away, I know the problem is stemming from the CLCR.EXE, as I've read about it elsewhere doing the same thing.

What happens is random pop ups occur every so often, which by scanning etc before posting this log, have seemed to temporarily stopped. Another key problem is that windows now takes about 4 minutes to start up, which happend instantly over night, I was out for a night, came home and my mom said that she was having trouble with the computer. I turn it on and "windows is starting" or whatever now takes about 30x longer than normal. Also, the virus makes my browser windows close when I try to download certain virus software that may possibly be able to take care clcr, which is annoying. I tried running the house call web scan before posting this log last night, and it ended up taking forever, so I went to bed. I woke up and clearly the window was randomly closed out of by the virus after it was done virus scanning. Which from what I saw had found a lot.

So, here is the log, any help would be appreciated.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:17:53 AM, on 8/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\Alcohol Soft\Alcohol

120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common

Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\QuickTime\qttask.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RKlauncher\RKLauncher.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Sketh\Desktop\HiJackThis.exe
C:\WINDOWS\system32\clcr.exe

R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL =

www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page

=

http://go.microsoft.com/fwlink/?LinkId=566...epage=http://ww

w.comcast.net/
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page

= http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page

=

http://go.microsoft.com/fwlink/?LinkId=566...epage=http://go

.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet

Explorer\Search,Default_Page_URL =

www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
O2 - BHO: AcroIEHlprObj Class -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {18B4FB77-6BD0-4A4E-A73C-2456CE0D1F12} -

C:\WINDOWS\system32\vturp.dll (file missing)
O2 - BHO: (no name) - {2506D597-1D6E-41F2-9C11-814042FACAC9} -

C:\WINDOWS\system32\awtsr.dll (file missing)
O2 - BHO: (no name) - {347BFC16-DF6E-48BF-9804-D0296F94E36B} -

C:\WINDOWS\system32\gebya.dll (file missing)
O2 - BHO: McAfee AntiPhishing Filter -

{41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program

files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: (no name) - {4EEA6D4C-DD52-49B3-B358-BAA68701A3B3} -

C:\WINDOWS\system32\jkhhe.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess -

{5CA3D70E-1895-11CF-8E15-001234567890} -

C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {5E0518A4-A03C-4E35-A873-2C1EE9E75AA4} -

C:\WINDOWS\system32\nksdfjdo.dll (file missing)
O2 - BHO: SSVHelper Class -

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {9318DBF7-9EE9-4C7C-86E0-6750CA72BD95} -

C:\WINDOWS\system32\gebya.dll (file missing)
O2 - BHO: (no name) - {A9D44074-264B-4A04-B8D0-D1660CD2F088} -

C:\WINDOWS\system32\ssqpo.dll (file missing)
O2 - BHO: (no name) - {B2030C9A-DE59-457D-A042-D827AD69C8F3} -

C:\WINDOWS\system32\pmnmkll.dll (file missing)
O2 - BHO: (no name) - {BBE8C227-CD7C-4C0F-8FD5-23E0E560E26a} -

C:\WINDOWS\system32\nksdfjdo.dll (file missing)
O2 - BHO: (no name) - {BE907419-361F-4BF4-80AD-85EDB0ECB30A} -

C:\WINDOWS\system32\vturp.dll (file missing)
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} -

C:\WINDOWS\system32\dfprrlxi.dll
O2 - BHO: (no name) - {D9115727-0430-4786-BF9A-7CF2CD50EDAE} -

C:\WINDOWS\system32\jkhhg.dll (file missing)
O2 - BHO: (no name) - {EB9F03A2-9346-4903-A539-8AC72812C9B7} -

C:\WINDOWS\system32\xxyxxxv.dll (file missing)
O3 - Toolbar: McAfee VirusScan -

{BA52B914-B692-46c4-B683-905236F6F655} -

c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI

Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media

Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common

Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common

Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VSOCheckTask]

"C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program

Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe]

c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe]

c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MSKDetectorExe]

C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ECenter] "c:\dell\E-Center\gtb.exe"
O4 - HKLM\..\Run: [MSKAGENTEXE]

C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program

Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe]

C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program

Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [{34ABEE9B-0A64-1033-0331-060506220001}]

"C:\Program Files\Common

Files\{34ABEE9B-0A64-1033-0331-060506220001}\Update.exe"

mc-110-12-0000272
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows

Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [bwtwhehq.exe] C:\Documents and Settings\All

Users\Application Data\bwtwhehq.exe
O4 - HKLM\..\Run: [avast!]

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SC2] C:\WINDOWS\system32\scchk32.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program

Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe

"C:\WINDOWS\system32\fjwpgrqu.dll",forkonce
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program

Files\PowerISO\PWRISOVM.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program

Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RK Launcher] "C:\Program

Files\RKlauncher\RKLauncher.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program

Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol

Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKUS\S-1-5-21-4285537268-375917941-1899198185-1005\..\Run:

[MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

(User '?')
O4 - HKUS\S-1-5-21-4285537268-375917941-1899198185-1005\..\Run:

[ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-4285537268-375917941-1899198185-1005\..\Run:

[RK Launcher] "C:\Program Files\RKlauncher\RKLauncher.exe"

(User '?')
O4 - HKUS\S-1-5-21-4285537268-375917941-1899198185-1005\..\Run:

[DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe"

/startup (User '?')
O4 - HKUS\S-1-5-21-4285537268-375917941-1899198185-1005\..\Run:

[AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol

120\axcmd.exe" /automount (User '?')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program

Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program

Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) -

{39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program

files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter -

{39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program

files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}

- C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) -

{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Sothink SWF Catcher -

{E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program

Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher -

{E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program

Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) -

{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com

Operating System Class) -

http://download.mcafee.com/molbin/shared/m...l/4,0,0,101/mci

nsctl.cab
O20 - Winlogon Notify: acfbefebbedae -

C:\WINDOWS\system32\acfbefebbedae.dll
O20 - Winlogon Notify: jkhhe - C:\WINDOWS\system32\jkhhe.dll

(file missing)
O20 - Winlogon Notify: notifyc - C:\WINDOWS\system32\clk.dll
O20 - Winlogon Notify: winyoc32 -

C:\WINDOWS\SYSTEM32\winyoc32.dll
O20 - Winlogon Notify: xxyxxxv - xxyxxxv.dll (file missing)
O22 - SharedTaskScheduler: (no name) -

{AF0BE91A-D92D-44F5-9581-64F629762E5A} -

C:\WINDOWS\system32\clk.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL

Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. -

C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program

Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software -

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program

Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program

Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) -

Macrovision Corporation - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner -

C:\Program Files\Common Files\Macromedia

Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee,

Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. -

c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee,

Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager

(mcupdmgr.exe) - McAfee, Inc -

C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) -

McAfee Corporation -

C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee

Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel®

Corporation - C:\Program

Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP -

C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket

Division Software - C:\Program Files\Alcohol Soft\Alcohol

120\StarWind\StarWindServiceAE.exe
O23 - Service: Viewpoint Manager Service - Viewpoint

Corporation - C:\Program

Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 12661 bytes

Edited by Sketh, 08 August 2007 - 08:19 AM.


BC AdBot (Login to Remove)

 


#2 pomp

pomp

    Malware Fighter


  • Members
  • 362 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jersey Shore
  • Local time:02:26 PM

Posted 08 August 2007 - 10:12 AM

Hello and welcome to BleepingComputer.

1. Download this file - combofix
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

After the combofix scan, please scan with HijackThis and let it generate a log. When notepad opens with the log, go to the Format menu and uncheck Word Wrap which is probably checked. Then please post the new HijackThis log along with the combofix log. Thanks.


My help in removing spyware is free, but if you'd like to donate: Donate



PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD


#3 Sketh

Sketh
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:26 PM

Posted 08 August 2007 - 10:35 AM

Finished


ComboFix 07-08-08 - "Sketh" 2007-08-08 11:18:34.1 - NTFSx86


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\{34ABE~1
C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
C:\Program Files\vsadd-in
C:\WINDOWS\system32\anaigtwe.dll
C:\WINDOWS\system32\becjrcyl.exe
C:\WINDOWS\system32\bjjvsqhp.dll
C:\WINDOWS\system32\bpwbbljq.exe
C:\WINDOWS\system32\clookpmk.dll
C:\WINDOWS\system32\cqyucjsc.ini
C:\WINDOWS\system32\crc.log
C:\WINDOWS\system32\csjcuyqc.dll
C:\WINDOWS\system32\csmmfqos.exe
C:\WINDOWS\system32\ddcyx.dll
C:\WINDOWS\system32\djdktvlj.dll
C:\WINDOWS\system32\djjrggrw.exe
C:\WINDOWS\system32\donokcpg.exe
C:\WINDOWS\system32\dqenamta.exe
C:\WINDOWS\system32\dsghivwd.dll
C:\WINDOWS\system32\duvmarrn.exe
C:\WINDOWS\system32\eeee03287a726b0a02bf4fbb8ca2f08b.TMP
C:\WINDOWS\system32\ehhkj.bak1
C:\WINDOWS\system32\ehhkj.bak2
C:\WINDOWS\system32\ehhkj.ini
C:\WINDOWS\system32\fidjwuci.exe
C:\WINDOWS\system32\fjwpgrqu.dll
C:\WINDOWS\system32\flfvxgcj.exe
C:\WINDOWS\system32\ftwmxeox.exe
C:\WINDOWS\system32\gdxyiykp.ini
C:\WINDOWS\system32\ghvrgskb.exe
C:\WINDOWS\system32\gloixabu.dll
C:\WINDOWS\system32\gvssavmm.ini
C:\WINDOWS\system32\hcqscsdc.exe
C:\WINDOWS\system32\hhmtegfy.exe
C:\WINDOWS\system32\hkdjjoai.dll
C:\WINDOWS\system32\hsmbrlcx.exe
C:\WINDOWS\system32\icvsijtx.dll
C:\WINDOWS\system32\icwsfrbs.exe
C:\WINDOWS\system32\idyxxlsn.dll
C:\WINDOWS\system32\j0291738.dll
C:\WINDOWS\system32\j6261238.dll
C:\WINDOWS\system32\jabwclvy.dll
C:\WINDOWS\system32\jkkljgd.dll
C:\WINDOWS\system32\jqdidmip.exe
C:\WINDOWS\system32\kepajhve.exe
C:\WINDOWS\system32\kmpkoolc.ini
C:\WINDOWS\system32\lcrcfvgd.exe
C:\WINDOWS\system32\llcdykac.exe
C:\WINDOWS\system32\mmvassvg.dll
C:\WINDOWS\system32\ncexsgqk.exe
C:\WINDOWS\system32\notify.ini
C:\WINDOWS\system32\nslxxydi.ini
C:\WINDOWS\system32\nsxiyswn.ini
C:\WINDOWS\system32\nvaowwyy.exe
C:\WINDOWS\system32\nwrcqhgd.exe
C:\WINDOWS\system32\nwsyixsn.dll
C:\WINDOWS\system32\oxhhurid.exe
C:\WINDOWS\system32\pkyiyxdg.dll
C:\WINDOWS\system32\pstwa.bak1
C:\WINDOWS\system32\pstwa.bak2
C:\WINDOWS\system32\pstwa.ini
C:\WINDOWS\system32\pstwa.ini2
C:\WINDOWS\system32\pstwa.tmp
C:\WINDOWS\system32\qayposvi.exe
C:\WINDOWS\system32\qcotlcmw.dll
C:\WINDOWS\system32\rgodnpka.exe
C:\WINDOWS\system32\rphaqmbu.exe
C:\WINDOWS\system32\tavuwfia.exe
C:\WINDOWS\system32\tbehhjqm.dll
C:\WINDOWS\system32\ubaxiolg.ini
C:\WINDOWS\system32\uithjbqi.dll
C:\WINDOWS\system32\uktpkdtc.exe
C:\WINDOWS\system32\uqrgpwjf.ini
C:\WINDOWS\system32\wfkwneuc.exe
C:\WINDOWS\system32\whepacnb.exe
C:\WINDOWS\system32\winyoc32.dll
C:\WINDOWS\system32\wpgdtsfn.dll
C:\WINDOWS\system32\wvurroo.dll
C:\WINDOWS\system32\wvutuvs.dll
C:\WINDOWS\system32\xmvihflb.exe
C:\WINDOWS\system32\xndkkxvq.dll
C:\WINDOWS\system32\xttdgowm.exe
C:\WINDOWS\system32\xxluquvd.dll
C:\WINDOWS\system32\yvlcwbaj.ini
C:\WINDOWS\system32\yvrsppqm.exe


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_COM+_MESSAGES
-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2007-07-08 to 2007-08-08 )))))))))))))))))))))))))))))))


2007-08-08 11:18 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-08 09:17 77,312 --a------ C:\WINDOWS\system32\clcr.exe
2007-08-07 23:31 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-08-07 23:30 <DIR> d-------- C:\DOCUME~1\Sketh\.housecall6.6
2007-08-07 23:07 146,944 --a------ C:\WINDOWS\system32\clk.dll
2007-08-07 23:02 <DIR> d-------- C:\_backupD
2007-08-07 22:46 <DIR> d-------- C:\WINDOWS\ERUNT
2007-08-07 22:19 90,112 --a------ C:\WINDOWS\system32\regdacl.exe
2007-08-07 22:19 53,248 --a------ C:\WINDOWS\system32\process.exe
2007-08-07 22:19 4,096 --a------ C:\WINDOWS\system32\reboot.exe
2007-08-07 22:19 280,230 --a------ C:\win32delfkil.exe
2007-08-07 22:19 16,384 --a------ C:\WINDOWS\system32\restart.exe
2007-08-07 22:19 <DIR> d-------- C:\WINDOWS\system32\regdacl
2007-08-07 21:26 <DIR> d-------- C:\$WIN_NT$.~BT
2007-08-07 20:28 <DIR> d-------- C:\Program Files\PowerISO
2007-08-07 19:39 <DIR> d-------- C:\Program Files\Samurize
2007-08-07 18:18 70,208 --a------ C:\WINDOWS\system32\dfprrlxi.dll
2007-08-07 10:18 66,048 --a------ C:\WINDOWS\ieResetIcons.exe
2007-08-06 20:15 33,052 --a------ C:\WINDOWS\system32\drivers\scdemu.sys
2007-08-06 00:25 126,016 --a------ C:\WINDOWS\system32\umtwvnor.dll
2007-07-30 20:19 10 --a------ C:\WINDOWS\system32\wfxhelp22.dll
2007-07-28 16:30 95,872 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-07-28 16:30 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-07-28 16:30 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-07-28 16:30 745,600 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-07-28 16:30 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-07-28 16:30 26,888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-07-28 16:30 23,416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-07-28 16:13 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-07-28 15:55 <DIR> d-------- C:\Program Files\CCleaner
2007-07-28 13:25 126,016 --a------ C:\WINDOWS\system32\awtyhqyb.dll
2007-07-27 16:55 1,763,847 ---hs---- C:\WINDOWS\system32\opqss.bak2
2007-07-26 21:57 6,467 ---hs---- C:\WINDOWS\system32\opqss.bak1
2007-07-26 16:37 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Talkback
2007-07-25 20:09 <DIR> d-------- C:\WINDOWS\system32\tnwlpqno
2007-07-25 16:34 126,016 --a------ C:\WINDOWS\system32\wtxifeyp.dll
2007-07-24 16:36 126,016 --a------ C:\WINDOWS\system32\mleyeyfr.dll
2007-07-23 16:36 126,016 --a------ C:\WINDOWS\system32\gykhxgwc.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-08 11:22 --------- d-------- C:\Program Files\RKlauncher
2007-08-07 22:02 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-07 22:01 --------- d-------- C:\Program Files\Common Files\Sonic Shared
2007-08-07 20:11 685816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-08-07 10:45 --------- d-------- C:\Program Files\MUSICMATCH
2007-08-07 10:38 --------- d-------- C:\Program Files\iPod
2007-07-30 20:18 --------- d-------- C:\Program Files\Stardock
2007-07-20 16:29 23040 --------- C:\WINDOWS\system32\acfbefebbedae.dll
2007-06-07 12:56 3895 --a------ C:\WINDOWS\mozver.dat
2007-05-27 16:50 56 -r-hs---- C:\WINDOWS\system32\AE37F19D3A.sys
2007-05-27 16:50 1682 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-05-16 11:12 86528 --------- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 11:12 85504 --------- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 11:12 683520 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 11:12 510976 --------- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 11:12 1314816 --------- C:\WINDOWS\system32\dllcache\msoe.dll
2007-05-11 00:12 42496 --a------ C:\WINDOWS\system32\libusb0.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{18B4FB77-6BD0-4A4E-A73C-2456CE0D1F12}]
C:\WINDOWS\system32\vturp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2506D597-1D6E-41F2-9C11-814042FACAC9}]
C:\WINDOWS\system32\awtsr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{347BFC16-DF6E-48BF-9804-D0296F94E36B}]
C:\WINDOWS\system32\gebya.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4EEA6D4C-DD52-49B3-B358-BAA68701A3B3}]
C:\WINDOWS\system32\jkhhe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5E0518A4-A03C-4E35-A873-2C1EE9E75AA4}]
C:\WINDOWS\system32\nksdfjdo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9318DBF7-9EE9-4C7C-86E0-6750CA72BD95}]
C:\WINDOWS\system32\gebya.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A9D44074-264B-4A04-B8D0-D1660CD2F088}]
C:\WINDOWS\system32\ssqpo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BBE8C227-CD7C-4C0F-8FD5-23E0E560E26a}]
C:\WINDOWS\system32\nksdfjdo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BE907419-361F-4BF4-80AD-85EDB0ECB30A}]
C:\WINDOWS\system32\vturp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D9115727-0430-4786-BF9A-7CF2CD50EDAE}]
C:\WINDOWS\system32\jkhhg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 15:01]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 22:05]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" []
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 15:30]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 15:30]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 18:18]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 23:02]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 18:29]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2006-01-11 12:05]
"MSKDetectorExe"="C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-12 16:16]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 06:20]
"ECenter"="c:\dell\E-Center\gtb.exe" [2006-06-14 16:17]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 10:26]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 13:49]
"MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-11-11 17:00]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"bwtwhehq.exe"="C:\Documents and Settings\All Users\Application Data\bwtwhehq.exe" [2007-05-30 15:38]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 11:42]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 17:20 C:\WINDOWS\stsystra.exe]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-08-06 20:05]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00]
"RK Launcher"="C:\Program Files\RKlauncher\RKLauncher.exe" [2007-03-16 13:05]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [2007-07-02 06:27]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-08-30 13:17:16]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{AF0BE91A-D92D-44F5-9581-64F629762E5A}"= C:\WINDOWS\system32\clk.dll [2007-08-07 23:07 146944]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acfbefebbedae]
C:\WINDOWS\system32\acfbefebbedae.dll 2007-07-20 16:29 23040 C:\WINDOWS\system32\acfbefebbedae.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkhhe]
C:\WINDOWS\system32\jkhhe.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyxxxv]
xxyxxxv.dll


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp]
C:\WINDOWS\TEMP\win813C.tmp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\j6261238]
rundll32 C:\WINDOWS\system32\j6261238.dll sook

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MRT]
"C:\WINDOWS\system32\MRT.exe" /R

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
"C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe" /background



[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5cade2f0-9863-11db-a0c8-001372df683e}]
AutoRun\command- setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{80a4574a-d8a6-11db-a109-001372df683e}]
AutoRun\command- E:\LaunchU3.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{126ACC47-A562-E292-0605-010108000101}]
C:\WINDOWS\system32\winini.exe

Contents of the 'Scheduled Tasks' folder
2007-07-24 21:56:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2006-11-01 23:40:04 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1161601607.job - C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe
2007-08-08 00:09:00 C:\WINDOWS\Tasks\FRU Task $ContextID$.job - C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe
2007-07-20 22:30:00 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (ZIGGY5050-Sketh).job - c:\program files\mcafee.com\vso\mcmnhdlr.exe
2007-08-08 02:47:44 C:\WINDOWS\Tasks\MP Scheduled Scan.job - C:\Program Files\Windows Defender\MpCmdRun.exe
2007-07-29 11:07:00 C:\WINDOWS\Tasks\WebReg 20061023070755.job - C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exe
2007-07-26 18:25:00 C:\WINDOWS\Tasks\WebReg 20061028142510.job - C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exe
2007-07-25 22:51:00 C:\WINDOWS\Tasks\WebReg 20061110185127.job - C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exe
2007-07-26 18:08:00 C:\WINDOWS\Tasks\WebReg 20061126140801.job - C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exe
2007-07-26 18:52:00 C:\WINDOWS\Tasks\WebReg 20061206145213.job - C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exe
2007-07-29 13:41:00 C:\WINDOWS\Tasks\WebReg 20070113094151.job - C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exe
2007-07-26 20:25:00 C:\WINDOWS\Tasks\WebReg 20070115162508.job - C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exe
2007-07-29 01:06:00 C:\WINDOWS\Tasks\WebReg 20070115210618.job - C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exe
2007-07-29 13:49:00 C:\WINDOWS\Tasks\WebReg 20070128094929.job - C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-08 11:28:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-08-08 11:31:27 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-08 11:30

--- E O F ---






Hijack this log:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:34:59 AM, on 8/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\clcr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Documents and Settings\All Users\Application Data\bwtwhehq.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RKlauncher\RKLauncher.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Sketh\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...ww.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {18B4FB77-6BD0-4A4E-A73C-2456CE0D1F12} - C:\WINDOWS\system32\vturp.dll (file missing)
O2 - BHO: (no name) - {2506D597-1D6E-41F2-9C11-814042FACAC9} - C:\WINDOWS\system32\awtsr.dll (file missing)
O2 - BHO: (no name) - {347BFC16-DF6E-48BF-9804-D0296F94E36B} - C:\WINDOWS\system32\gebya.dll (file missing)
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: (no name) - {4EEA6D4C-DD52-49B3-B358-BAA68701A3B3} - C:\WINDOWS\system32\jkhhe.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {5E0518A4-A03C-4E35-A873-2C1EE9E75AA4} - C:\WINDOWS\system32\nksdfjdo.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {9318DBF7-9EE9-4C7C-86E0-6750CA72BD95} - C:\WINDOWS\system32\gebya.dll (file missing)
O2 - BHO: (no name) - {A9D44074-264B-4A04-B8D0-D1660CD2F088} - C:\WINDOWS\system32\ssqpo.dll (file missing)
O2 - BHO: (no name) - {BBE8C227-CD7C-4C0F-8FD5-23E0E560E26a} - C:\WINDOWS\system32\nksdfjdo.dll (file missing)
O2 - BHO: (no name) - {BE907419-361F-4BF4-80AD-85EDB0ECB30A} - C:\WINDOWS\system32\vturp.dll (file missing)
O2 - BHO: (no name) - {D9115727-0430-4786-BF9A-7CF2CD50EDAE} - C:\WINDOWS\system32\jkhhg.dll (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ECenter] "c:\dell\E-Center\gtb.exe"
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [bwtwhehq.exe] C:\Documents and Settings\All Users\Application Data\bwtwhehq.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RK Launcher] "C:\Program Files\RKlauncher\RKLauncher.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKUS\S-1-5-21-4285537268-375917941-1899198185-1005\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-4285537268-375917941-1899198185-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-4285537268-375917941-1899198185-1005\..\Run: [RK Launcher] "C:\Program Files\RKlauncher\RKLauncher.exe" (User '?')
O4 - HKUS\S-1-5-21-4285537268-375917941-1899198185-1005\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (User '?')
O4 - HKUS\S-1-5-21-4285537268-375917941-1899198185-1005\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount (User '?')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O20 - Winlogon Notify: acfbefebbedae - C:\WINDOWS\system32\acfbefebbedae.dll
O20 - Winlogon Notify: jkhhe - C:\WINDOWS\system32\jkhhe.dll (file missing)
O20 - Winlogon Notify: xxyxxxv - xxyxxxv.dll (file missing)
O22 - SharedTaskScheduler: (no name) - {AF0BE91A-D92D-44F5-9581-64F629762E5A} - C:\WINDOWS\system32\clk.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 11657 bytes

#4 pomp

pomp

    Malware Fighter


  • Members
  • 362 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jersey Shore
  • Local time:02:26 PM

Posted 08 August 2007 - 11:22 AM

Please open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

http://www.bleepingcomputer.com/forums/t/103313/clcr-problems-starts-up-slowly-closes-windows/
Collect::
C:\WINDOWS\system32\clcr.exe
C:\WINDOWS\system32\clk.dll
C:\WINDOWS\system32\dfprrlxi.dll
C:\WINDOWS\system32\umtwvnor.dll
C:\WINDOWS\system32\awtyhqyb.dll
C:\WINDOWS\system32\opqss.bak2
C:\WINDOWS\system32\opqss.bak1
C:\WINDOWS\system32\wtxifeyp.dll
C:\WINDOWS\system32\mleyeyfr.dll
C:\WINDOWS\system32\gykhxgwc.dll
C:\WINDOWS\system32\acfbefebbedae.dll
Folder::
C:\WINDOWS\system32\tnwlpqno


Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot),

post the contents of Combofix.txt in your next reply together with a new HijackThislog.


Additonally, ComboFix will generate a zipped file on your desktop called Submit [Date Time].zip
Please submit this file to:

http://www.bleepingcomputer.com/submit-malware.php?channel=4

Edited by pomp, 08 August 2007 - 11:23 AM.


My help in removing spyware is free, but if you'd like to donate: Donate



PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD


#5 Sketh

Sketh
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:26 PM

Posted 08 August 2007 - 11:51 AM

Finished:

ComboFix 07-08-08 - "Sketh" 2007-08-08 12:35:26.2 - NTFSx86
Command switches used :: C:\Documents and Settings\Sketh\Desktop\CFScript.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\acfbefebbedae.dll
C:\WINDOWS\system32\awtyhqyb.dll
C:\WINDOWS\system32\clcr.exe
C:\WINDOWS\system32\clk.dll
C:\WINDOWS\system32\dfprrlxi.dll
C:\WINDOWS\system32\gykhxgwc.dll
C:\WINDOWS\system32\mleyeyfr.dll
C:\WINDOWS\system32\opqss.bak1
C:\WINDOWS\system32\opqss.bak2
C:\WINDOWS\system32\tnwlpqno
C:\WINDOWS\system32\tnwlpqno\bg1.gif
C:\WINDOWS\system32\tnwlpqno\bgtop.gif
C:\WINDOWS\system32\tnwlpqno\bottom1.gif
C:\WINDOWS\system32\tnwlpqno\essentials.gif
C:\WINDOWS\system32\tnwlpqno\icon1.ico
C:\WINDOWS\system32\tnwlpqno\install1.gif
C:\WINDOWS\system32\tnwlpqno\left1.gif
C:\WINDOWS\system32\tnwlpqno\li.gif
C:\WINDOWS\system32\tnwlpqno\logo.gif
C:\WINDOWS\system32\tnwlpqno\main.htm
C:\WINDOWS\system32\tnwlpqno\mainframe.htm
C:\WINDOWS\system32\tnwlpqno\reinstall1.gif
C:\WINDOWS\system32\tnwlpqno\right1.gif
C:\WINDOWS\system32\tnwlpqno\s1.htm
C:\WINDOWS\system32\tnwlpqno\s2.htm
C:\WINDOWS\system32\tnwlpqno\s3.htm
C:\WINDOWS\system32\tnwlpqno\SMTop1.gif
C:\WINDOWS\system32\tnwlpqno\SMTop2.gif
C:\WINDOWS\system32\tnwlpqno\SMTop3.gif
C:\WINDOWS\system32\tnwlpqno\SMTop4.gif
C:\WINDOWS\system32\tnwlpqno\soft1_off.gif
C:\WINDOWS\system32\tnwlpqno\soft1_off_ext.gif
C:\WINDOWS\system32\tnwlpqno\soft1_on.gif
C:\WINDOWS\system32\tnwlpqno\soft1_on_ext.gif
C:\WINDOWS\system32\tnwlpqno\soft2_off.gif
C:\WINDOWS\system32\tnwlpqno\soft2_off_ext.gif
C:\WINDOWS\system32\tnwlpqno\soft2_on.gif
C:\WINDOWS\system32\tnwlpqno\soft2_on_ext.gif
C:\WINDOWS\system32\tnwlpqno\soft3_off.gif
C:\WINDOWS\system32\tnwlpqno\soft3_off_ext.gif
C:\WINDOWS\system32\tnwlpqno\soft3_on.gif
C:\WINDOWS\system32\tnwlpqno\soft3_on_ext.gif
C:\WINDOWS\system32\tnwlpqno\softbottom_off.gif
C:\WINDOWS\system32\tnwlpqno\softbottom_on.gif
C:\WINDOWS\system32\tnwlpqno\softleft_off.gif
C:\WINDOWS\system32\tnwlpqno\softleft_on.gif
C:\WINDOWS\system32\tnwlpqno\top1.gif
C:\WINDOWS\system32\tnwlpqno\top2.gif
C:\WINDOWS\system32\tnwlpqno\turnoff1.gif
C:\WINDOWS\system32\tnwlpqno\turnon1.gif
C:\WINDOWS\system32\umtwvnor.dll
C:\WINDOWS\system32\wtxifeyp.dll


((((((((((((((((((((((((( Files Created from 2007-07-08 to 2007-08-08 )))))))))))))))))))))))))))))))


2007-08-08 11:18 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-07 23:31 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-08-07 23:30 <DIR> d-------- C:\DOCUME~1\Sketh\.housecall6.6
2007-08-07 23:02 <DIR> d-------- C:\_backupD
2007-08-07 22:46 <DIR> d-------- C:\WINDOWS\ERUNT
2007-08-07 22:19 90,112 --a------ C:\WINDOWS\system32\regdacl.exe
2007-08-07 22:19 53,248 --a------ C:\WINDOWS\system32\process.exe
2007-08-07 22:19 4,096 --a------ C:\WINDOWS\system32\reboot.exe
2007-08-07 22:19 280,230 --a------ C:\win32delfkil.exe
2007-08-07 22:19 16,384 --a------ C:\WINDOWS\system32\restart.exe
2007-08-07 22:19 <DIR> d-------- C:\WINDOWS\system32\regdacl
2007-08-07 21:26 <DIR> d-------- C:\$WIN_NT$.~BT
2007-08-07 20:28 <DIR> d-------- C:\Program Files\PowerISO
2007-08-07 19:39 <DIR> d-------- C:\Program Files\Samurize
2007-08-07 10:18 66,048 --a------ C:\WINDOWS\ieResetIcons.exe
2007-08-06 20:15 33,052 --a------ C:\WINDOWS\system32\drivers\scdemu.sys
2007-07-30 20:19 10 --a------ C:\WINDOWS\system32\wfxhelp22.dll
2007-07-28 16:30 95,872 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-07-28 16:30 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-07-28 16:30 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-07-28 16:30 745,600 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-07-28 16:30 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-07-28 16:30 26,888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-07-28 16:30 23,416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-07-28 16:13 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-07-28 15:55 <DIR> d-------- C:\Program Files\CCleaner
2007-07-26 16:37 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Talkback


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-08 12:38 --------- d-------- C:\Program Files\RKlauncher
2007-08-07 22:02 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-07 22:01 --------- d-------- C:\Program Files\Common Files\Sonic Shared
2007-08-07 20:11 685816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-08-07 10:45 --------- d-------- C:\Program Files\MUSICMATCH
2007-08-07 10:38 --------- d-------- C:\Program Files\iPod
2007-07-30 20:18 --------- d-------- C:\Program Files\Stardock
2007-06-07 12:56 3895 --a------ C:\WINDOWS\mozver.dat
2007-05-27 16:50 56 -r-hs---- C:\WINDOWS\system32\AE37F19D3A.sys
2007-05-27 16:50 1682 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-05-16 11:12 86528 --------- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 11:12 85504 --------- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 11:12 683520 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 11:12 510976 --------- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 11:12 1314816 --------- C:\WINDOWS\system32\dllcache\msoe.dll
2007-05-11 00:12 42496 --a------ C:\WINDOWS\system32\libusb0.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{18B4FB77-6BD0-4A4E-A73C-2456CE0D1F12}]
C:\WINDOWS\system32\vturp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2506D597-1D6E-41F2-9C11-814042FACAC9}]
C:\WINDOWS\system32\awtsr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{347BFC16-DF6E-48BF-9804-D0296F94E36B}]
C:\WINDOWS\system32\gebya.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4EEA6D4C-DD52-49B3-B358-BAA68701A3B3}]
C:\WINDOWS\system32\jkhhe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5E0518A4-A03C-4E35-A873-2C1EE9E75AA4}]
C:\WINDOWS\system32\nksdfjdo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9318DBF7-9EE9-4C7C-86E0-6750CA72BD95}]
C:\WINDOWS\system32\gebya.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A9D44074-264B-4A04-B8D0-D1660CD2F088}]
C:\WINDOWS\system32\ssqpo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BBE8C227-CD7C-4C0F-8FD5-23E0E560E26a}]
C:\WINDOWS\system32\nksdfjdo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BE907419-361F-4BF4-80AD-85EDB0ECB30A}]
C:\WINDOWS\system32\vturp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D9115727-0430-4786-BF9A-7CF2CD50EDAE}]
C:\WINDOWS\system32\jkhhg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 15:01]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 22:05]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" []
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 15:30]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 15:30]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 18:18]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 23:02]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 18:29]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2006-01-11 12:05]
"MSKDetectorExe"="C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-12 16:16]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 06:20]
"ECenter"="c:\dell\E-Center\gtb.exe" [2006-06-14 16:17]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 10:26]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 13:49]
"MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-11-11 17:00]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"bwtwhehq.exe"="C:\Documents and Settings\All Users\Application Data\bwtwhehq.exe" [2007-05-30 15:38]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 11:42]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 17:20 C:\WINDOWS\stsystra.exe]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-08-06 20:05]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00]
"RK Launcher"="C:\Program Files\RKlauncher\RKLauncher.exe" [2007-03-16 13:05]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [2007-07-02 06:27]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-08-30 13:17:16]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{AF0BE91A-D92D-44F5-9581-64F629762E5A}"= C:\WINDOWS\system32\clk.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acfbefebbedae]
C:\WINDOWS\system32\acfbefebbedae.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkhhe]
C:\WINDOWS\system32\jkhhe.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyxxxv]
xxyxxxv.dll


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp]
C:\WINDOWS\TEMP\win813C.tmp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\j6261238]
rundll32 C:\WINDOWS\system32\j6261238.dll sook

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MRT]
"C:\WINDOWS\system32\MRT.exe" /R

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
"C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe" /background



[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5cade2f0-9863-11db-a0c8-001372df683e}]
AutoRun\command- setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{80a4574a-d8a6-11db-a109-001372df683e}]
AutoRun\command- E:\LaunchU3.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{126ACC47-A562-E292-0605-010108000101}]
C:\WINDOWS\system32\winini.exe

Contents of the 'Scheduled Tasks' folder
2007-07-24 21:56:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2006-11-01 23:40:04 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1161601607.job - C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe
2007-08-08 00:09:00 C:\WINDOWS\Tasks\FRU Task $ContextID$.job - C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe
2007-07-20 22:30:00 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (ZIGGY5050-Sketh).job - c:\program files\mcafee.com\vso\mcmnhdlr.exe
2007-08-08 16:38:20 C:\WINDOWS\Tasks\MP Scheduled Scan.job - C:\Program Files\Windows Defender\MpCmdRun.exe
2007-07-29 11:07:00 C:\WINDOWS\Tasks\WebReg 20061023070755.job - C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exe
2007-07-26 18:25:00 C:\WINDOWS\Tasks\WebReg 20061028142510.job - C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exe
2007-07-25 22:51:00 C:\WINDOWS\Tasks\WebReg 20061110185127.job - C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exe
2007-07-26 18:08:00 C:\WINDOWS\Tasks\WebReg 20061126140801.job - C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exe
2007-07-26 18:52:00 C:\WINDOWS\Tasks\WebReg 20061206145213.job - C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exe
2007-07-29 13:41:00 C:\WINDOWS\Tasks\WebReg 20070113094151.job - C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exe
2007-07-26 20:25:00 C:\WINDOWS\Tasks\WebReg 20070115162508.job - C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exe
2007-07-29 01:06:00 C:\WINDOWS\Tasks\WebReg 20070115210618.job - C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exe
2007-07-29 13:49:00 C:\WINDOWS\Tasks\WebReg 20070128094929.job - C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-08 12:44:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-08-08 12:48:21 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-08 12:47
C:\ComboFix2.txt ... 2007-08-08 11:31

--- E O F ---




HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:51:03 PM, on 8/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
c:\program files\mcafee.com\agent\mcdetect.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Documents and Settings\All Users\Application Data\bwtwhehq.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RKlauncher\RKLauncher.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Sketh\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...ww.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {18B4FB77-6BD0-4A4E-A73C-2456CE0D1F12} - C:\WINDOWS\system32\vturp.dll (file missing)
O2 - BHO: (no name) - {2506D597-1D6E-41F2-9C11-814042FACAC9} - C:\WINDOWS\system32\awtsr.dll (file missing)
O2 - BHO: (no name) - {347BFC16-DF6E-48BF-9804-D0296F94E36B} - C:\WINDOWS\system32\gebya.dll (file missing)
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: (no name) - {4EEA6D4C-DD52-49B3-B358-BAA68701A3B3} - C:\WINDOWS\system32\jkhhe.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {5E0518A4-A03C-4E35-A873-2C1EE9E75AA4} - C:\WINDOWS\system32\nksdfjdo.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {9318DBF7-9EE9-4C7C-86E0-6750CA72BD95} - C:\WINDOWS\system32\gebya.dll (file missing)
O2 - BHO: (no name) - {A9D44074-264B-4A04-B8D0-D1660CD2F088} - C:\WINDOWS\system32\ssqpo.dll (file missing)
O2 - BHO: (no name) - {BBE8C227-CD7C-4C0F-8FD5-23E0E560E26a} - C:\WINDOWS\system32\nksdfjdo.dll (file missing)
O2 - BHO: (no name) - {BE907419-361F-4BF4-80AD-85EDB0ECB30A} - C:\WINDOWS\system32\vturp.dll (file missing)
O2 - BHO: (no name) - {D9115727-0430-4786-BF9A-7CF2CD50EDAE} - C:\WINDOWS\system32\jkhhg.dll (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ECenter] "c:\dell\E-Center\gtb.exe"
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [bwtwhehq.exe] C:\Documents and Settings\All Users\Application Data\bwtwhehq.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RK Launcher] "C:\Program Files\RKlauncher\RKLauncher.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKUS\S-1-5-21-4285537268-375917941-1899198185-1005\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-4285537268-375917941-1899198185-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-4285537268-375917941-1899198185-1005\..\Run: [RK Launcher] "C:\Program Files\RKlauncher\RKLauncher.exe" (User '?')
O4 - HKUS\S-1-5-21-4285537268-375917941-1899198185-1005\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (User '?')
O4 - HKUS\S-1-5-21-4285537268-375917941-1899198185-1005\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount (User '?')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O20 - Winlogon Notify: acfbefebbedae - C:\WINDOWS\system32\acfbefebbedae.dll (file missing)
O20 - Winlogon Notify: jkhhe - C:\WINDOWS\system32\jkhhe.dll (file missing)
O20 - Winlogon Notify: xxyxxxv - xxyxxxv.dll (file missing)
O22 - SharedTaskScheduler: (no name) - {AF0BE91A-D92D-44F5-9581-64F629762E5A} - C:\WINDOWS\system32\clk.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 11670 bytes



Thanks for helping so far.


PS. ComboFix wanted to send the report automatically, I'm assuming it knew what Channel to send it, so I allowed it to. If I have to manually upload it to said channel, I can.

Edited by Sketh, 08 August 2007 - 11:52 AM.


#6 pomp

pomp

    Malware Fighter


  • Members
  • 362 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jersey Shore
  • Local time:02:26 PM

Posted 08 August 2007 - 01:56 PM

Yes It knew what channel to send it to. If you know for sure it sent it, that's good! If not, send it using the link in my previous post, towards the end of the reply.


Have HijackThis fix the following with no browser windows open:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {18B4FB77-6BD0-4A4E-A73C-2456CE0D1F12} - C:\WINDOWS\system32\vturp.dll (file missing)
O2 - BHO: (no name) - {2506D597-1D6E-41F2-9C11-814042FACAC9} - C:\WINDOWS\system32\awtsr.dll (file missing)
O2 - BHO: (no name) - {347BFC16-DF6E-48BF-9804-D0296F94E36B} - C:\WINDOWS\system32\gebya.dll (file missing)
O2 - BHO: (no name) - {4EEA6D4C-DD52-49B3-B358-BAA68701A3B3} - C:\WINDOWS\system32\jkhhe.dll (file missing)
O2 - BHO: (no name) - {5E0518A4-A03C-4E35-A873-2C1EE9E75AA4} - C:\WINDOWS\system32\nksdfjdo.dll (file missing)
O2 - BHO: (no name) - {9318DBF7-9EE9-4C7C-86E0-6750CA72BD95} - C:\WINDOWS\system32\gebya.dll (file missing)
O2 - BHO: (no name) - {A9D44074-264B-4A04-B8D0-D1660CD2F088} - C:\WINDOWS\system32\ssqpo.dll (file missing)
O2 - BHO: (no name) - {BBE8C227-CD7C-4C0F-8FD5-23E0E560E26a} - C:\WINDOWS\system32\nksdfjdo.dll (file missing)
O2 - BHO: (no name) - {BE907419-361F-4BF4-80AD-85EDB0ECB30A} - C:\WINDOWS\system32\vturp.dll (file missing)
O2 - BHO: (no name) - {D9115727-0430-4786-BF9A-7CF2CD50EDAE} - C:\WINDOWS\system32\jkhhg.dll (file missing)
O20 - Winlogon Notify: acfbefebbedae - C:\WINDOWS\system32\acfbefebbedae.dll (file missing)
O20 - Winlogon Notify: jkhhe - C:\WINDOWS\system32\jkhhe.dll (file missing)
O20 - Winlogon Notify: xxyxxxv - xxyxxxv.dll (file missing)
O22 - SharedTaskScheduler: (no name) - {AF0BE91A-D92D-44F5-9581-64F629762E5A} - C:\WINDOWS\system32\clk.dll (file missing)


Restart your computer.

Scan with HijackThis and post a fresh log.


My help in removing spyware is free, but if you'd like to donate: Donate



PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD


#7 Sketh

Sketh
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:26 PM

Posted 08 August 2007 - 10:19 PM

Yeah, before I went out I resent it anyway manually. Thank you for clarifying though.

Fresh Log:





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:17:41 PM, on 8/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RKlauncher\RKLauncher.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\Sketh\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...ww.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ECenter] "c:\dell\E-Center\gtb.exe"
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [bwtwhehq.exe] C:\Documents and Settings\All Users\Application Data\bwtwhehq.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RK Launcher] "C:\Program Files\RKlauncher\RKLauncher.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKUS\S-1-5-21-4285537268-375917941-1899198185-1005\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-4285537268-375917941-1899198185-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-4285537268-375917941-1899198185-1005\..\Run: [RK Launcher] "C:\Program Files\RKlauncher\RKLauncher.exe" (User '?')
O4 - HKUS\S-1-5-21-4285537268-375917941-1899198185-1005\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (User '?')
O4 - HKUS\S-1-5-21-4285537268-375917941-1899198185-1005\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount (User '?')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10085 bytes

#8 pomp

pomp

    Malware Fighter


  • Members
  • 362 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jersey Shore
  • Local time:02:26 PM

Posted 08 August 2007 - 11:22 PM

Hello.

Have HijackThis just fix the following line:

O4 - HKLM\..\Run: [bwtwhehq.exe] C:\Documents and Settings\All Users\Application Data\bwtwhehq.exe

Your log is now clean!

How are things now?

Since your issues have been addressed and you are ready to travel the net again, I will just give you a few ideas on how to stay safe out there. Best of all these programs are all readily available on the net for free :thumbsup:

To reduce the potential for spyware infection in the future, I strongly recommend installing SpywareBlaster.

SpywareBlaster is by JavaCool and is a free program. SpywareBlaster will prevent spyware from being installed and consumes no system resources.

More info and download is available at:

Spyware Blaster

Might I suggest the following Free Spyware program for added security, you can download it at the following link. This program works great for detection:

Spybot S&D--Spybot Tutorial

Antiviruses play an important role in keeping your computer safe and worry free while using the net. *NOTE* Only one antivirus must be allowed to run on your computer, as having two or more running can and will cause conflicts.

AVG Avast

Firewalls are also a must in any good prevention :

Zone Alarm Tiny Personal Firewall

There are different browsers available on the net, other than Internet Explorer, we believe!! these are better for security purposes :

Firefox Opera

You must stay on top of your updates at all times, for the above mentioned applications.

It is vitally important to stay on top of your critical updates provided by microsoft.

This can be accessed by going to Windows Updates and following the prompts.

And finally a little Posted Image How did I get infected in the first place ? (by Mr. Tony Klein)

Good luck and safe surfing :flowers:

Edited by pomp, 08 August 2007 - 11:22 PM.


My help in removing spyware is free, but if you'd like to donate: Donate



PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD


#9 Sketh

Sketh
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:26 PM

Posted 09 August 2007 - 12:02 AM

Thank you so much. I'm a Firefox user, and never really liked Internet Explorer. Not to mention a majority of the programs you have listed I use regularly on my main computer. Thanks a lot for the information, I'll be sure to get them downloaded on this one.

#10 pomp

pomp

    Malware Fighter


  • Members
  • 362 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jersey Shore
  • Local time:02:26 PM

Posted 09 August 2007 - 10:44 AM

Glad I could help!! :thumbsup:

This topic is now closed.


My help in removing spyware is free, but if you'd like to donate: Donate



PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users