Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trying To Remove Hijacker


  • Please log in to reply
12 replies to this topic

#1 gowron29

gowron29

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:13 AM

Posted 19 October 2007 - 09:38 PM

My browser diverts me to other sites where I don't want to go. I have attached my HijackThis Log.:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:40:53 PM, on 10/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\dlbxcoms.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\PROGRA~1\Crawler\Toolbar\CToolbar.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0CE60FEB-D67C-423F-B6F3-6FF55E5D36F0} - c:\docume~1\dad\locals~1\temp\gcnrnqrf.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: (no name) - {3C7195F6-D788-4D50-BA72-2EE212EDAC78} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {581BD496-F8FF-4D10-890B-CA464069502B} - c:\windows\system32\ioagioa.dll
O2 - BHO: (no name) - {72F51C53-CCC2-4127-AB9E-0E7806787470} - c:\windows\system32\ioagioa.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: (no name) - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - (no file)
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [dlbxmon.exe] "C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [DLBXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.turbotax.com
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.cox.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www3.authentium.com/cssrelease/bin/wizard.exe
O16 - DPF: {3BA3B159-7533-4F96-A2CE-EE5894BBD3D5} (Scanner.SysScanner) - http://i.dell.com/images/global/js/scanner/SYSSCANNER.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1179486030718
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O20 - Winlogon Notify: hpghulnk - C:\WINDOWS\SYSTEM32\ioagioa.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DataWorx PLC (DataWorxPLC) - Inteworx.net - C:\Program Files\AutomationDirect\DataWorx PLC\DataWorxPLCServer.exe
O23 - Service: DataWorx WinPLC (DataWorxWinPLC) - Inteworx.net - C:\Program Files\AutomationDirect\DataWorx WinPLC\DataWorxWinPLCServer.exe
O23 - Service: dlbx_device - Dell - C:\WINDOWS\System32\dlbxcoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 9525 bytes


In advance, thank you.

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:13 AM

Posted 20 October 2007 - 05:15 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum gowron29 :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Download and run Fixwareout from the link below:
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
After the reboot post the contents of the logfile C:\fixwareout\report.txt in your next reply.

Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6 update 3'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java version.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.


Download SDFix.exe and save it to your desktop:
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

* Double click on SDFix on your desktop,and install the fix to C:\

Please then reboot your computer into Safe Mode by doing the following:

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* In Safe Mode,go to and open the C:\SDFix folder,then double click on RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.


If you have previously downloaded ComboFix,please delete that version now.
Now download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Click on Start/Run,copy and paste the following bold text into the 'Open:' space,then press OK:
"%userprofile%\desktop\combofix.exe" /killall
Combofix.exe will start,please follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 gowron29

gowron29
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:13 AM

Posted 21 October 2007 - 07:54 PM

Richie,

Thank you for helping me to get rid of this problem. I have attached the following reports in the order that you requested.

The first one is the Fixwareout report:

Username "Dad" - 10/21/2007 14:55:13 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
....
....
~~~~~ Misc files.
C:\Documents and Settings\Dad\Application Data\Install.dat Deleted
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)

....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

The next one is the results from SDFix:

SDFix: Version 1.110

Run by Dad on Sun 10/21/2007 at 04:40 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\SYSTEM32\WLXOMQF.EXE - Deleted
C:\WINDOWS\update.exe - Deleted



Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe:*:Enabled:Java™ 2 Platform Standard Edition binary"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Fri 19 Mar 2004 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 19 Mar 2004 401 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv19.bak"
Thu 23 Nov 2006 400 A.SH. --- "C:\Documents and Settings\All Users\DRM\v2ks.bla.bak"
Thu 23 Nov 2006 48 A.SH. --- "C:\Documents and Settings\All Users\DRM\v2ks.sec.bak"
Mon 17 Jan 2005 121,856 ...H. --- "C:\Documents and Settings\Mom\Desktop\~WRL0824.tmp"
Fri 21 Jul 2006 20,992 ...H. --- "C:\Documents and Settings\Mom\Desktop\~WRL2534.tmp"
Thu 30 Jun 2005 20,992 ...H. --- "C:\Documents and Settings\Mom\Desktop\~WRL3947.tmp"
Mon 15 Mar 2004 22,528 A..H. --- "C:\Documents and Settings\Dad\My Documents\ODU Courses\EET 315\~WRL3828.tmp"
Thu 5 Aug 2004 33,280 A..H. --- "C:\Documents and Settings\Dad\My Documents\ODU Courses\EET 330 and 335\~WRL0537.tmp"
Thu 5 Aug 2004 33,280 A..H. --- "C:\Documents and Settings\Dad\My Documents\ODU Courses\EET 330 and 335\~WRL0790.tmp"
Thu 5 Aug 2004 33,792 A..H. --- "C:\Documents and Settings\Dad\My Documents\ODU Courses\EET 330 and 335\~WRL1548.tmp"
Thu 5 Aug 2004 33,792 A..H. --- "C:\Documents and Settings\Dad\My Documents\ODU Courses\EET 330 and 335\~WRL3631.tmp"
Sat 25 Oct 2003 62,464 A..H. --- "C:\Documents and Settings\Dad\My Documents\ODU Courses\ENMA 301\~WRL0003.tmp"
Sat 30 Oct 2004 20,480 ...H. --- "C:\Documents and Settings\Mom\Desktop\3.5 SCHOOL FLOPPIES\Novels\~WRL0131.tmp"
Tue 4 Jan 2005 28,160 A..H. --- "C:\Documents and Settings\Mom\Desktop\Career Conference\Career Research Project English Bulletin\~WRL0001.tmp"
Tue 25 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4cd8fa349c86e90c2d5b6edfe250f0d9\download\BIT1A.tmp"
Tue 4 Jan 2005 28,160 A..H. --- "C:\Documents and Settings\Mom\Desktop\Flash Drive\Career Conference\Career Research Project English Bulletin\~WRL0001.tmp"
Sat 17 Sep 2005 59,392 A..H. --- "C:\Documents and Settings\Dad\My Documents\K of C Folder\2005-2006 Files\Outgoing Letters\September 2005\~WRL1363.tmp"
Mon 20 Feb 2006 39,424 A..H. --- "C:\Documents and Settings\Dad\My Documents\K of C Folder\2005-2006 Files\Forms and Reports\Council Activities\Submitted Activities\~WRL0642.tmp"
Mon 20 Feb 2006 42,496 A..H. --- "C:\Documents and Settings\Dad\My Documents\K of C Folder\2005-2006 Files\Forms and Reports\Council Activities\Submitted Activities\~WRL2140.tmp"
Mon 20 Feb 2006 43,008 A..H. --- "C:\Documents and Settings\Dad\My Documents\K of C Folder\2005-2006 Files\Forms and Reports\Council Activities\Submitted Activities\~WRL2367.tmp"
Mon 20 Feb 2006 43,520 A..H. --- "C:\Documents and Settings\Dad\My Documents\K of C Folder\2005-2006 Files\Forms and Reports\Council Activities\Submitted Activities\~WRL3423.tmp"

Finished!

After I ran SDFix, I could not access the Internet. I used the Restore Point where I uploaded the Java softawre. Once loaded the Restore Point, I was able to access the Internet.

The next log is the ComboFix.txt file:

ComboFix 07-10-22.1 - Dad 2007-10-21 20:23:37.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.483 [GMT -4:00]
Running from: C:\Documents and Settings\Dad\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Mom\Local Settings\Application Data\microsoft\internet explorer\filters
C:\Documents and Settings\Mom\Local Settings\Application Data\microsoft\internet explorer\filters\filter.drv
C:\Documents and Settings\Mom\Local Settings\Application Data\microsoft\internet explorer\filters\prx475a.dll
C:\Documents and Settings\Mom\Local Settings\Application Data\microsoft\internet explorer\filters\prx475c.dll
C:\Documents and Settings\Mom\Local Settings\Application Data\microsoft\internet explorer\filters\prx482b.dll
C:\Documents and Settings\Mom\Local Settings\Application Data\microsoft\internet explorer\filters\prx531e.dll
C:\Documents and Settings\Mom\Local Settings\Application Data\microsoft\internet explorer\filters\prx54e.dll
C:\Documents and Settings\Mom\Local Settings\Application Data\microsoft\internet explorer\filters\torun.exe
C:\WINDOWS\system32\drivers\hd_dirs.cfg
C:\WINDOWS\system32\drivers\hd_rkeys.cfg
C:\WINDOWS\system32\drivers\hd_rvals.cfg
C:\WINDOWS\system32\drivers\lsisrmki.dat
C:\WINDOWS\system32\drivers\lsisrmki.sys
C:\WINDOWS\system32\drivers\snkwevbj.dat
C:\WINDOWS\system32\drivers\snkwevbj.sys
C:\WINDOWS\System32\ioagioa.dll
C:\WINDOWS\system32\ioagioa.dll.bak
C:\WINDOWS\update.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_FCQWHXIK
-------\LEGACY_HFLT_IPF
-------\LEGACY_NNSERV
-------\LEGACY_NOITTUKV
-------\fcqwhxik
-------\noittukv


((((((((((((((((((((((((( Files Created from 2007-09-22 to 2007-10-22 )))))))))))))))))))))))))))))))
.

2007-10-21 20:15 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-21 16:37 <DIR> d-------- C:\WINDOWS\ERUNT
2007-10-21 16:11 <DIR> d-------- C:\Program Files\Common Files\Java
2007-10-17 20:00 41,728 --a------ C:\WINDOWS\SYSTEM32\gegwioew.dat
2007-10-16 19:55 <DIR> d-------- C:\WINDOWS\.jagex_cache_32
2007-10-04 20:06 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-30 16:21 741,632 --a------ C:\WINDOWS\SYSTEM32\wmrmfhnx.dat
2007-09-30 16:21 118,528 --a------ C:\WINDOWS\SYSTEM32\fkyedvcq.dat
2007-09-30 16:21 35,584 --a------ C:\WINDOWS\SYSTEM32\kngkujmi.dat
2007-09-30 16:21 34,560 --a------ C:\WINDOWS\SYSTEM32\zpcjpsfs.dat
2007-09-27 20:43 <DIR> d-------- C:\Program Files\iPod
2007-09-27 20:43 <DIR> d-------- C:\Documents and Settings\Dad\Application Data\Apple Computer
2007-09-27 20:43 <DIR> d-------- C:\DOCUME~1\Dad\APPLIC~1\Apple Computer
2007-09-27 20:42 <DIR> d-------- C:\Program Files\iTunes
2007-09-27 20:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-09-27 20:39 <DIR> d----c--- C:\WINDOWS\SYSTEM32\DRVSTORE
2007-09-27 20:39 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-09-27 20:39 <DIR> d-------- C:\Program Files\Apple Software Update
2007-09-27 20:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-09-25 22:43 128,896 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\fltmgr.sys
2007-09-25 22:43 23,040 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\fltmc.exe
2007-09-25 22:43 16,896 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\fltlib.dll
2007-09-24 20:23 221,184 --a------ C:\WINDOWS\SYSTEM32\wmpns.dll
2007-09-24 20:16 <DIR> d-------- C:\WINDOWS\provisioning
2007-09-24 20:16 <DIR> d-------- C:\WINDOWS\peernet
2007-09-24 20:09 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-09-24 19:33 <DIR> d-------- C:\WINDOWS\EHome

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-21 20:15 --------- d-----w C:\Program Files\Java
2007-10-21 13:35 --------- d-----w C:\Program Files\Dl_cats
2007-10-15 13:03 --------- d-----w C:\Program Files\Palm
2007-10-08 14:40 --------- d-----w C:\Program Files\Spyware Terminator
2007-10-08 14:20 --------- d-----w C:\Program Files\Trend Micro
2007-10-06 15:10 --------- d-----w C:\Program Files\Juno
2007-10-06 15:00 --------- d-----w C:\Documents and Settings\Mom\Application Data\Spyware Terminator
2007-09-28 00:42 --------- d-----w C:\Program Files\QuickTime
2007-09-26 22:19 --------- d-----w C:\Documents and Settings\Trevor Vuono\Application Data\Spyware Terminator
2007-09-19 00:22 --------- d-----w C:\Program Files\SealedMedia
2007-09-11 00:16 --------- d-----w C:\Program Files\Abbyy FineReader 6.0 Sprint
2007-09-11 00:01 --------- d-----w C:\Program Files\Dell Photo AIO Printer 962
2007-09-10 16:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-07-02 00:38 2,719,216 ----a-w C:\Program Files\ccsetup140.exe
2005-08-29 20:07 62,976 ----a-w C:\Documents and Settings\Trevor Vuono\Application Data\GDIPFONTCACHEV1.DAT
2005-07-23 12:13 62,976 ----a-w C:\Documents and Settings\Dad\Application Data\GDIPFONTCACHEV1.DAT
2005-07-23 12:13 62,976 ----a-w C:\DOCUME~1\Dad\APPLIC~1\GDIPFONTCACHEV1.DAT
2005-07-22 03:09 62,976 ----a-w C:\Documents and Settings\Mom\Application Data\GDIPFONTCACHEV1.DAT
2003-01-23 20:45 36,460 ----a-w C:\Program Files\DeIsL1.isu
2003-01-23 20:44 632 ----a-w C:\Program Files\compnts.dat
2003-01-23 20:44 5,699 ----a-w C:\Program Files\msimini.tpl
2003-01-23 20:44 37 ----a-w C:\Program Files\docs.dat
2003-01-09 18:19 9,764,716 ----a-w C:\Program Files\PalmDesktop41ENG.exe
2003-01-09 17:28 1,803,464 ----a-w C:\Program Files\winzip81.exe
2003-01-09 17:19 8,839,120 ----a-w C:\Program Files\AcroReader51_ENU.exe
2003-01-09 04:01 8,009,656 ----a-w C:\Program Files\junoinst.exe
2003-01-04 08:23 207,758 ----a-w C:\Program Files\INSTALL.LOG
2003-01-04 07:53 35 ----a-w C:\DOCUME~1\DELL\SYSINFO.DAT
2003-01-04 07:52 132 ----a-w C:\DOCUME~1\DELL\USBS3KB.REG
2002-09-03 14:31 28,672 ----a-w C:\DOCUME~1\DELL\ATAPI.EXE
2002-07-25 21:46 28,672 ----a-w C:\DOCUME~1\DELL\UWAKEON.EXE
2002-07-25 21:45 28,672 ----a-w C:\DOCUME~1\DELL\UWAKEOFF.EXE
1999-08-25 20:17 79,024 ----a-w C:\DOCUME~1\DELL\EXPRESS.EXE
1999-07-14 23:44 13,043 ----a-w C:\DOCUME~1\DELL\DOSXPRES.EXE
1997-07-22 16:49 176,128 ----a-w C:\Program Files\README.WRI
1996-08-16 19:49 298,496 ----a-w C:\Program Files\uninst.exe
1996-07-31 17:51 38,912 ----a-w C:\DOCUME~1\DELL\P_ESCG.DAT
1995-07-11 15:50 398,416 ----a-w C:\DOCUME~1\DELL\VBRUN300.DLL
1995-02-02 20:19 766 ----a-w C:\Program Files\MANUAL1.ICO
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 344,064 2004-12-01 02:10:00 C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe

----a-w 212,992 2002-12-03 16:25:26 C:\Program Files\Common Files\Dell\EUSW\bak\Support.exe

----a-w 151,597 2003-08-31 01:28:32 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe

----a-w 255,520 2006-11-17 01:35:16 C:\Program Files\Ebates__MoeMoney__Maker\bak\ebatesmmmv.exe

----a-w 69,632 2001-08-02 18:11:42 C:\Program Files\Hewlett-Packard\HP Share-to-Web\bak\hpgs2wnd.exe

----a-w 45,056 2001-08-13 20:18:26 C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\bak\Hpi_Monitor.exe

----a-w 36,975 2005-11-10 17:03:52 C:\Program Files\Java\jre1.5.0_06\bin\bak\jusched.exe

----a-w 1,511,453 2002-08-20 21:08:38 C:\Program Files\Messenger\bak\msmsgs.exe
----a-w 1,694,208 2004-10-13 16:24:37 C:\Program Files\Messenger\msmsgs.exe

----a-w 53,248 2003-06-26 22:04:20 C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mmtask.exe

----a-w 114,688 2003-06-26 22:04:18 C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mm_tray.exe

----a-w 77,824 2004-08-26 23:39:04 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 286,720 2007-06-29 10:24:52 C:\Program Files\QuickTime\QTTask.exe

----a-w 679,936 2002-04-10 22:44:04 C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\bak\DirectCD.exe

----a-w 94,208 2003-08-05 17:06:28 C:\Program Files\SealedMedia\bak\sealmon.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"nwiz"="nwiz.exe" [2004-10-29 18:50 C:\WINDOWS\SYSTEM32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2004-10-29 18:50]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-10-29 18:50]
"dlbxmon.exe"="C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe" [2005-01-18 10:57]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 C:\WINDOWS\BCMSMMSG.exe]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [2007-01-23 02:26]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 01:31]
"MSPY2002"="C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" [2002-09-03 12:25]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-09-03 12:26]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-09-03 12:26]
"DLBXCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll" [2004-12-07 16:43]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

C:\Documents and Settings\Mom\Start Menu\Programs\Startup\
Event Reminder.lnk - C:\pmw\PMREMIND.EXE [1997-10-20 12:31:00]
HotSync Manager.lnk - C:\Program Files\Palm\HOTSYNC.EXE [2002-07-18 12:58:46]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2003-01-04 04:17:02]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{20d8bda1-1958-11d6-b00f-00b0d0c6b6a5}"= C:\Program Files\McAfee\McAfee Internet Security\GDSHEXT.DLL [ ]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

R2 DLPortIO;DriverLINX Port I/O Driver;C:\WINDOWS\system32\drivers\DLPortIO.sys
S2 DataWorxPLC;DataWorx PLC;C:\Program Files\AutomationDirect\DataWorx PLC\DataWorxPLCServer.exe
S2 DataWorxWinPLC;DataWorx WinPLC;C:\Program Files\AutomationDirect\DataWorx WinPLC\DataWorxWinPLCServer.exe
S3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys
S3 dsreader;MaxDrive Driver (dsreader.sys);C:\WINDOWS\system32\Drivers\dsreader.sys
S3 FANTOM;LEGO MINDSTORMS NXT Driver;C:\WINDOWS\system32\DRIVERS\fantom.sys
S3 jgameenp;jgameenp;\??\C:\DOCUME~1\TREVOR~1\LOCALS~1\Temp\jgameenp.sys
S3 NMSCFG;NIC Management Service Configuration Driver;\??\C:\WINDOWS\System32\drivers\NMSCFG.SYS
S3 NMSSvc;Intel® NMS;C:\WINDOWS\System32\NMSSvc.exe

.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-21 20:29:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-21 20:39:19 - machine was rebooted
.
--- E O F ---

The last file is the HijackThis log after all the programs were ran:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:42:17 PM, on 10/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\dlbxcoms.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Crawler\Toolbar\CToolbar.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: (no name) - {3C7195F6-D788-4D50-BA72-2EE212EDAC78} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: (no name) - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - (no file)
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [dlbxmon.exe] "C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [DLBXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.turbotax.com
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.cox.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www3.authentium.com/cssrelease/bin/wizard.exe
O16 - DPF: {3BA3B159-7533-4F96-A2CE-EE5894BBD3D5} (Scanner.SysScanner) - http://i.dell.com/images/global/js/scanner/SYSSCANNER.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1179486030718
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DataWorx PLC (DataWorxPLC) - Inteworx.net - C:\Program Files\AutomationDirect\DataWorx PLC\DataWorxPLCServer.exe
O23 - Service: DataWorx WinPLC (DataWorxWinPLC) - Inteworx.net - C:\Program Files\AutomationDirect\DataWorx WinPLC\DataWorxWinPLCServer.exe
O23 - Service: dlbx_device - Dell - C:\WINDOWS\System32\dlbxcoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 7760 bytes


Once again, Richie, thank you for your help.

Gowron29

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:13 AM

Posted 21 October 2007 - 08:11 PM

Please download OTMoveIt by OldTimer:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths inside the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

C:\WINDOWS\SYSTEM32\gegwioew.dat
C:\WINDOWS\SYSTEM32\wmrmfhnx.dat
C:\WINDOWS\SYSTEM32\fkyedvcq.dat
C:\WINDOWS\SYSTEM32\kngkujmi.dat
C:\WINDOWS\SYSTEM32\zpcjpsfs.dat

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button Posted Image

Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it into your next reply.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.


Download FindAWF.exe and save it to your desktop:
http://noahdfear.geekstogo.com/FindAWF.exe
Double-click FindAWF.exe to start the tool.
Select option #2 - Restore files from bak folders by typing 2 and press 'Enter'
A text file will open up.
Please copy and paste the following bold text inside the quote box below into the text file:

"C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
"C:\Program Files\Common Files\Dell\EUSW\bak\Support.exe"
"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
"C:\Program Files\Ebates__MoeMoney__Maker\bak\ebatesmmmv.exe"
"C:\Program Files\Hewlett-Packard\HP Share-to-Web\bak\hpgs2wnd.exe"
"C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\bak\Hpi_Monitor.exe"
"C:\Program Files\Java\jre1.5.0_06\bin\bak\jusched.exe"
"C:\Program Files\Messenger\bak\msmsgs.exe"
"C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mmtask.exe"
"C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mm_tray.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\bak\DirectCD.exe"
"C:\Program Files\SealedMedia\bak\sealmon.exe"


Close the files.txt and click Yes to save the changes.
FindAWF will now terminate the bad processes if running, delete the bad files and restore/replace them with the good files.
Then it will open a log.
Copy and paste the contents of that log in your next reply.
Posted Image
Posted Image

#5 gowron29

gowron29
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:13 AM

Posted 22 October 2007 - 05:56 PM

Richie,

I have attached the text file from FindAWF:

Directory of C:\PROGRA~1\MESSEN~1\BAK

08/20/2002 05:08 PM 1,511,453 msmsgs.exe
1 File(s) 1,511,453 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

08/26/2004 07:39 PM 77,824 qttask.exe
1 File(s) 77,824 bytes

Directory of C:\PROGRA~1\SEALED~1\BAK

08/05/2003 01:06 PM 94,208 sealmon.exe
1 File(s) 94,208 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

11/30/2004 10:10 PM 344,064 atiptaxx.exe
1 File(s) 344,064 bytes

Directory of C:\PROGRA~1\HEWLET~1\HPSHAR~1\BAK

08/02/2001 02:11 PM 69,632 hpgs2wnd.exe
1 File(s) 69,632 bytes

Directory of C:\PROGRA~1\MUSICM~1\MUSICM~1\BAK

06/26/2003 06:04 PM 114,688 mm_tray.exe
06/26/2003 06:04 PM 53,248 mmtask.exe
2 File(s) 167,936 bytes

Directory of C:\PROGRA~1\COMMON~1\DELL\EUSW\BAK

12/03/2002 12:25 PM 212,992 Support.exe
1 File(s) 212,992 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

08/30/2003 09:28 PM 151,597 realsched.exe
1 File(s) 151,597 bytes

Directory of C:\PROGRA~1\HEWLET~1\PHOTOS~1\PHOTOI~1\BAK

08/13/2001 04:18 PM 45,056 Hpi_Monitor.exe
1 File(s) 45,056 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK

11/10/2005 01:03 PM 36,975 jusched.exe
1 File(s) 36,975 bytes


04/10/2002 06:44 PM 679,936 DirectCD.exe
1 File(s) 679,936 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

255520 Nov 16 2006 "C:\Program Files\Ebates__MoeMoney__Maker\ebatesmmmv.exe"
255520 Nov 16 2006 "C:\Program Files\Ebates__MoeMoney__Maker\bak\ebatesmmmv.exe"
1511453 Aug 20 2002 "C:\Program Files\Messenger\msmsgs.exe"
1667584 Aug 4 2004 "C:\WINDOWS\$NtUninstallKB887472$\msmsgs.exe"
1511453 Aug 20 2002 "C:\Program Files\Messenger\bak\msmsgs.exe"
1694208 Oct 13 2004 "C:\WINDOWS\$hf_mig$\KB887472\SP2QFE\msmsgs.exe"
1667584 Aug 4 2004 "C:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\msmsgs.exe"
77824 Aug 26 2004 "C:\Program Files\QuickTime\qttask.exe"
77824 Aug 26 2004 "C:\Program Files\QuickTime\bak\qttask.exe"
94208 Aug 5 2003 "C:\Program Files\SealedMedia\sealmon.exe"
94208 Aug 5 2003 "C:\Program Files\SealedMedia\bak\sealmon.exe"
344064 Nov 30 2004 "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
344064 Nov 30 2004 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
69632 Aug 2 2001 "C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe"
69632 Aug 2 2001 "C:\Program Files\Hewlett-Packard\HP Share-to-Web\bak\hpgs2wnd.exe"
53248 Jun 26 2003 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
53248 Jun 26 2003 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mmtask.exe"
53248 Sep 14 2003 "C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\mmtask.exe"
114688 Jun 26 2003 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
114688 Jun 26 2003 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mm_tray.exe"
114688 Sep 14 2003 "C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\mm_tray.exe"
212992 Dec 3 2002 "C:\Program Files\Common Files\Dell\EUSW\Support.exe"
69632 Aug 22 2002 "C:\Program Files\Dell\Support\bin\Support.exe"
212992 Dec 3 2002 "C:\Program Files\Common Files\Dell\EUSW\bak\Support.exe"
212992 Dec 3 2002 "C:\Documents and Settings\All Users\Application Data\Dell\Alert\27\Support.exe"
151597 Aug 30 2003 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
151597 Aug 30 2003 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
45056 Aug 13 2001 "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
45056 Aug 13 2001 "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\bak\Hpi_Monitor.exe"
36975 Nov 10 2005 "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
36975 Nov 10 2005 "C:\Program Files\Java\jre1.5.0_06\bin\bak\jusched.exe"
679936 Apr 10 2002 "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
679936 Apr 10 2002 "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\bak\DirectCD.exe"


end of report

Once again, thank you for your assistance.

Gowron29

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:13 AM

Posted 23 October 2007 - 05:36 AM

Double-click FindAWF.exe to start the tool.
Select option #3 - Remove bak folders by typing 3 and press 'Enter'
A text file will open up.
Please copy/paste the following bold text inside the quote box below into the text file:

"C:\Program Files\Messenger\bak"
"C:\Program Files\QuickTime\bak"
"C:\Program Files\SealedMedia\bak"
"C:\Program Files\ATI Technologies\ATI Control Panel\bak"
"C:\Program Files\Hewlett-Packard\HP Share-to-Web\bak"
"C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak"
"C:\Program Files\Common Files\Dell\EUSW\bak"
"C:\Program Files\Common Files\Real\Update_OB\bak"
"C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\bak"
"C:\Program Files\Java\jre1.5.0_06\bin\bak"
"C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\bak"


Then close folders.txt and let it save the changes.
FindAWF will now remove the bak folders and open a log aferwards.
Copy and paste the contents of that log in your next reply along with a new HijackThis log.
Posted Image
Posted Image

#7 gowron29

gowron29
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:13 AM

Posted 23 October 2007 - 03:57 PM

Richie,

Here is the AWF Report:

Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: Tue 10/23/2007
The current time is: 16:45:18.01


bak folders found
~~~~~~~~~~~


Directory of C:\WINDOWS\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\EBATES~1\BAK

11/16/2006 09:35 PM 255,520 ebatesmmmv.exe
1 File(s) 255,520 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

08/20/2002 05:08 PM 1,511,453 msmsgs.exe
1 File(s) 1,511,453 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

08/26/2004 07:39 PM 77,824 qttask.exe
1 File(s) 77,824 bytes

Directory of C:\PROGRA~1\SEALED~1\BAK

08/05/2003 01:06 PM 94,208 sealmon.exe
1 File(s) 94,208 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

11/30/2004 10:10 PM 344,064 atiptaxx.exe
1 File(s) 344,064 bytes

Directory of C:\PROGRA~1\HEWLET~1\HPSHAR~1\BAK

08/02/2001 02:11 PM 69,632 hpgs2wnd.exe
1 File(s) 69,632 bytes

Directory of C:\PROGRA~1\MUSICM~1\MUSICM~1\BAK

06/26/2003 06:04 PM 114,688 mm_tray.exe
06/26/2003 06:04 PM 53,248 mmtask.exe
2 File(s) 167,936 bytes

Directory of C:\PROGRA~1\COMMON~1\DELL\EUSW\BAK

12/03/2002 12:25 PM 212,992 Support.exe
1 File(s) 212,992 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

08/30/2003 09:28 PM 151,597 realsched.exe
1 File(s) 151,597 bytes

Directory of C:\PROGRA~1\HEWLET~1\PHOTOS~1\PHOTOI~1\BAK

08/13/2001 04:18 PM 45,056 Hpi_Monitor.exe
1 File(s) 45,056 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK

11/10/2005 01:03 PM 36,975 jusched.exe
1 File(s) 36,975 bytes


04/10/2002 06:44 PM 679,936 DirectCD.exe
1 File(s) 679,936 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

255520 Nov 16 2006 "C:\Program Files\Ebates__MoeMoney__Maker\ebatesmmmv.exe"
255520 Nov 16 2006 "C:\Program Files\Ebates__MoeMoney__Maker\bak\ebatesmmmv.exe"
1511453 Aug 20 2002 "C:\Program Files\Messenger\msmsgs.exe"
1667584 Aug 4 2004 "C:\WINDOWS\$NtUninstallKB887472$\msmsgs.exe"
1511453 Aug 20 2002 "C:\Program Files\Messenger\bak\msmsgs.exe"
1694208 Oct 13 2004 "C:\WINDOWS\$hf_mig$\KB887472\SP2QFE\msmsgs.exe"
1667584 Aug 4 2004 "C:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\msmsgs.exe"
77824 Aug 26 2004 "C:\Program Files\QuickTime\qttask.exe"
77824 Aug 26 2004 "C:\Program Files\QuickTime\bak\qttask.exe"
94208 Aug 5 2003 "C:\Program Files\SealedMedia\sealmon.exe"
94208 Aug 5 2003 "C:\Program Files\SealedMedia\bak\sealmon.exe"
344064 Nov 30 2004 "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
344064 Nov 30 2004 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
69632 Aug 2 2001 "C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe"
69632 Aug 2 2001 "C:\Program Files\Hewlett-Packard\HP Share-to-Web\bak\hpgs2wnd.exe"
53248 Jun 26 2003 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
53248 Jun 26 2003 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mmtask.exe"
53248 Sep 14 2003 "C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\mmtask.exe"
114688 Jun 26 2003 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
114688 Jun 26 2003 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mm_tray.exe"
114688 Sep 14 2003 "C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\mm_tray.exe"
212992 Dec 3 2002 "C:\Program Files\Common Files\Dell\EUSW\Support.exe"
69632 Aug 22 2002 "C:\Program Files\Dell\Support\bin\Support.exe"
212992 Dec 3 2002 "C:\Program Files\Common Files\Dell\EUSW\bak\Support.exe"
212992 Dec 3 2002 "C:\Documents and Settings\All Users\Application Data\Dell\Alert\27\Support.exe"
151597 Aug 30 2003 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
151597 Aug 30 2003 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
45056 Aug 13 2001 "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
45056 Aug 13 2001 "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\bak\Hpi_Monitor.exe"
36975 Nov 10 2005 "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
36975 Nov 10 2005 "C:\Program Files\Java\jre1.5.0_06\bin\bak\jusched.exe"
679936 Apr 10 2002 "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
679936 Apr 10 2002 "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\bak\DirectCD.exe"


end of report

Here is the latest Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:54:29 PM, on 10/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINDOWS\System32\dlbxcoms.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Crawler\Toolbar\CToolbar.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: (no name) - {3C7195F6-D788-4D50-BA72-2EE212EDAC78} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: (no name) - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - (no file)
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [dlbxmon.exe] "C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [DLBXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.turbotax.com
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.cox.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www3.authentium.com/cssrelease/bin/wizard.exe
O16 - DPF: {3BA3B159-7533-4F96-A2CE-EE5894BBD3D5} (Scanner.SysScanner) - http://i.dell.com/images/global/js/scanner/SYSSCANNER.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1179486030718
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DataWorx PLC (DataWorxPLC) - Inteworx.net - C:\Program Files\AutomationDirect\DataWorx PLC\DataWorxPLCServer.exe
O23 - Service: DataWorx WinPLC (DataWorxWinPLC) - Inteworx.net - C:\Program Files\AutomationDirect\DataWorx WinPLC\DataWorxWinPLCServer.exe
O23 - Service: dlbx_device - Dell - C:\WINDOWS\System32\dlbxcoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 7842 bytes

In advance, thank you.

Gowron29

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:13 AM

Posted 23 October 2007 - 04:42 PM

Please double-click OTMoveIt.exe to run it.
Copy the file paths inside the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

C:\Program Files\Ebates__MoeMoney__Maker
C:\Program Files\Messenger\bak
C:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989
C:\Program Files\QuickTime\bak
C:\Program Files\SealedMedia\bak
C:\Program Files\ATI Technologies\ATI Control Panel\bak
C:\Program Files\Hewlett-Packard\HP Share-to-Web\bak
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak
C:\Program Files\Common Files\Dell\EUSW\bak
C:\Program Files\Common Files\Real\Update_OB\bak
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\bak
C:\Program Files\Java\jre1.5.0_06\bin\bak
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\bak

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button Posted Image

Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it into your next reply.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {3C7195F6-D788-4D50-BA72-2EE212EDAC78} - (no file)
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: (no name) - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - (no file)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab

Exit Hijackthis.

Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.


Please run the F-Secure online virus/spyware scan using Internet Explorer:
http://support.f-secure.com/enu/home/ols.shtml
Follow the directions in the F-Secure page for proper Installation.
Accept the License Agreement.
Once the ActiveX installs,Click ‘Custom Scan’ and be sure the following are checked:
1.Scan whole System
2.Scan all files
3.Scan whole system for rootkits
4.Scan whole system for spyware
5.Scan inside archives
6.Use advanced heuristics
Once the download completes,the scan will begin automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the ‘I want to decide item by item’ button.
For each item found,Select ‘Disinfect’ and click ‘Next’.
Click the ‘Show Report’ button,then copy and paste the entire report into your next reply.

Also post a new Hijackthis log,let me know how your pc is running now.
Posted Image
Posted Image

#9 gowron29

gowron29
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:13 AM

Posted 25 October 2007 - 08:25 PM

:thumbsup: Richie,

Here are the folloowing files that you have requested.

The first result is the OTMoveIt file. I could not retrieve a copy, but this message repeated itself over 20 times:

C:\windows\software distribution\download\6ca7b3a8

After that:

C:\Program Files\Ebates__MoeMoney__Maker
C:\Program Files\Messenger\bak
C:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989
C:\Program Files\QuickTime\bak
C:\Program Files\SealedMedia\bak
C:\Program Files\ATI Technologies\ATI Control Panel\bak
C:\Program Files\Hewlett-Packard\HP Share-to-Web\bak
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak
C:\Program Files\Common Files\Dell\EUSW\bak
C:\Program Files\Common Files\Real\Update_OB\bak
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\bak
C:\Program Files\Java\jre1.5.0_06\bin\bak
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\bak

The next report is the SuperAntiSpyware log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/23/2007 at 10:15 PM

Application Version : 3.9.1008

Core Rules Database Version : 3329
Trace Rules Database Version: 1330

Scan type : Complete Scan
Total Scan Time : 01:38:34

Memory items scanned : 397
Memory threats detected : 0
Registry items scanned : 5674
Registry threats detected : 1
File items scanned : 74086
File threats detected : 50

Adware.Tracking Cookie
C:\Documents and Settings\Dad\Cookies\dad@1071422301[1].txt
C:\Documents and Settings\Dad\Cookies\dad@adopt.specificclick[2].txt
C:\Documents and Settings\Dad\Cookies\dad@1057612327[2].txt
C:\Documents and Settings\Dad\Cookies\dad@ads.associatedcontent[2].txt
C:\Documents and Settings\Dad\Cookies\dad@web-stat[2].txt
C:\Documents and Settings\Dad\Cookies\dad@coxhsi.112.2o7[1].txt
C:\Documents and Settings\Dad\Cookies\dad@revsci[2].txt
C:\Documents and Settings\Dad\Cookies\dad@richmedia.yahoo[2].txt
C:\Documents and Settings\Dad\Cookies\dad@tacoda[1].txt
C:\Documents and Settings\Dad\Cookies\dad@1065256500[1].txt
C:\Documents and Settings\Dad\Cookies\dad@anad.tacoda[1].txt
C:\Documents and Settings\Dad\Cookies\dad@2o7[1].txt
C:\Documents and Settings\Dad\Cookies\dad@e-2dj6wcmikpajglo.stats.esomniture[2].txt
C:\Documents and Settings\Dad\Cookies\dad@hotlog[1].txt
C:\Documents and Settings\Dad\Cookies\dad@specificclick[1].txt
C:\Documents and Settings\Dad\Cookies\dad@www.clickmanage[2].txt
C:\Documents and Settings\Dad\Cookies\dad@ads.pointroll[1].txt
C:\Documents and Settings\Dad\Cookies\dad@serving-sys[1].txt
C:\Documents and Settings\Dad\Cookies\dad@1071802767[1].txt
C:\Documents and Settings\Dad\Cookies\dad@e-2dj6wjnyejcjwkp.stats.esomniture[2].txt
C:\Documents and Settings\Dad\Cookies\dad@atdmt[2].txt
C:\Documents and Settings\Dad\Cookies\dad@track.bestbuy[1].txt
C:\Documents and Settings\Dad\Cookies\dad@cbs.112.2o7[1].txt
C:\Documents and Settings\Dad\Cookies\dad@tracking.foxnews[1].txt
C:\Documents and Settings\Dad\Cookies\dad@bs.serving-sys[1].txt
C:\Documents and Settings\Mom\Cookies\mom@counter.hitslink[1].txt
C:\Documents and Settings\Mom\Cookies\mom@doubleclick[1].txt
C:\Documents and Settings\Trevor Vuono\Cookies\trevor vuono@ad.yieldmanager[2].txt
C:\Documents and Settings\Trevor Vuono\Cookies\trevor vuono@adbrite[2].txt
C:\Documents and Settings\Trevor Vuono\Cookies\trevor vuono@adopt.euroclick[1].txt
C:\Documents and Settings\Trevor Vuono\Cookies\trevor vuono@adopt.specificclick[1].txt
C:\Documents and Settings\Trevor Vuono\Cookies\trevor vuono@ads.addynamix[2].txt
C:\Documents and Settings\Trevor Vuono\Cookies\trevor vuono@ads.cartoonnetwork[1].txt
C:\Documents and Settings\Trevor Vuono\Cookies\trevor vuono@ads.realtechnetwork[2].txt
C:\Documents and Settings\Trevor Vuono\Cookies\trevor vuono@advertising[2].txt
C:\Documents and Settings\Trevor Vuono\Cookies\trevor vuono@atdmt[2].txt
C:\Documents and Settings\Trevor Vuono\Cookies\trevor vuono@bs.serving-sys[1].txt
C:\Documents and Settings\Trevor Vuono\Cookies\trevor vuono@casalemedia[1].txt
C:\Documents and Settings\Trevor Vuono\Cookies\trevor vuono@coxhsi.112.2o7[1].txt
C:\Documents and Settings\Trevor Vuono\Cookies\trevor vuono@doubleclick[1].txt
C:\Documents and Settings\Trevor Vuono\Cookies\trevor vuono@fastclick[1].txt
C:\Documents and Settings\Trevor Vuono\Cookies\trevor vuono@microsoftgamestudio.112.2o7[1].txt
C:\Documents and Settings\Trevor Vuono\Cookies\trevor vuono@partner2profit[2].txt
C:\Documents and Settings\Trevor Vuono\Cookies\trevor vuono@qnsr[1].txt
C:\Documents and Settings\Trevor Vuono\Cookies\trevor vuono@serving-sys[1].txt
C:\Documents and Settings\Trevor Vuono\Cookies\trevor vuono@tribalfusion[1].txt
C:\Documents and Settings\Trevor Vuono\Cookies\trevor vuono@www.burstnet[2].txt

Adware.IEPlugin
HKCR\Remove

Adware.EbatesMoeMoneyMaker
C:\_OTMOVEIT\MOVEDFILES\PROGRAM FILES\EBATES__MOEMONEY__MAKER\BAK\EBATESMMMV.EXE
C:\_OTMOVEIT\MOVEDFILES\PROGRAM FILES\EBATES__MOEMONEY__MAKER\EBATESMMMV.EXE

Adware.WebRebates
C:\_OTMOVEIT\MOVEDFILES\PROGRAM FILES\EBATES__MOEMONEY__MAKER\EB.EXE

The next log is the F-Secure log:

Scanning Report
Wednesday, October 24, 2007 23:35:44 - 17:12:26
Computer name: FAMILY
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\
________________________________________
Result: 83 malware found
Packed.Win32.Morphine.a (virus)
• C:\WINDOWS\SYSTEM32\ipv6mons.dll.ren (Submitted)
Rootkit.Win32.Agent.iy (virus)
• C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP78\A0015680.sys (Submitted)
Rootkit.Win32.Agent.li (virus)
• C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP96\A0033996.sys (Submitted)
• C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\snkwevbj.sys.vir (Submitted)
Rootkit.Win32.Agent.lj (virus)
• C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP67\A0006882.sys (Submitted)
Rootkit.Win32.Small.c (virus)
• C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP96\A0033995.sys (Submitted)
• C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\lsisrmki.sys.vir (Submitted)
SpamTool.Win32.Agent.am (virus)
• C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP96\A0033998.dll (Submitted)
• C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP96\A0033999.dll (Submitted)
• C:\qoobox\Quarantine\C\Documents and Settings\Mom\Local Settings\Application Data\Microsoft\Internet Explorer\Filters\prx475a.dll.vir (Submitted)
• C:\qoobox\Quarantine\C\Documents and Settings\Mom\Local Settings\Application Data\Microsoft\Internet Explorer\Filters\prx475c.dll.vir (Submitted)
Tracking Cookie (spyware)
• System (Disinfected)
• System
• System
• System
• System
• System
• System
• System
• System
• System
Trojan-Clicker.Win32.Delf.hi (virus)
• C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP92\A0028514.dll (Renamed)
• C:\qoobox\Quarantine\catchme2007-10-21_203239.62.zip\ioagioa.dll.bak
Trojan-Clicker.Win32.Delf.jr (virus)
• C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP91\A0028478.dll (Renamed)
Trojan-Clicker.Win32.Delf.jv (virus)
• C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP78\A0015684.dll (Renamed & Submitted)
Trojan-Downloader.Win32.Agent.awf (virus)
• C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP80\A0015723.rbf (Renamed & Submitted)
• C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP42\A0005576.exe (Renamed & Submitted)
• C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP42\A0005577.exe (Renamed & Submitted)
• C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP42\A0005578.exe (Renamed & Submitted)
• C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP42\A0005579.exe (Renamed & Submitted)
• C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP42\A0005580.exe (Renamed & Submitted)
• C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP42\A0005581.exe (Renamed & Submitted)
• C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP42\A0005582.exe (Renamed & Submitted)
• C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP42\A0005583.exe (Renamed & Submitted)
• C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP42\A0005584.exe (Renamed & Submitted)
• C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP42\A0005585.exe (Renamed & Submitted)
• C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP42\A0005586.exe (Renamed & Submitted)
Trojan-Downloader.Win32.Agent.eld (virus)
• C:\WINDOWS\SYSTEM32\kngkujmi.dll.bak (Renamed & Submitted)
• C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP85\A0017095.dll (Renamed)
• C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP84\A0016100.dll (Renamed)
• C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP83\A0016059.dll (Renamed)
Trojan-Downloader.Win32.Agent.ele (virus)
• C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP78\A0015678.dll (Renamed)
Trojan-Downloader.Win32.Agent.elf (virus)
• C:\WINDOWS\SYSTEM32\zpcjpsfs.dll.bak (Renamed & Submitted)
• C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP85\A0017093.dll (Renamed & Submitted)
• C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP84\A0016098.dll (Renamed & Submitted)
• C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP83\A0016057.dll (Renamed & Submitted)
Trojan-Dropper.Win32.Agent.bzw (virus)
• C:\WINDOWS\SYSTEM32\gegwioew.dll.bak (Renamed & Submitted)
• C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP78\A0015679.dll (Renamed & Submitted)
Trojan-Dropper.Win32.Agent.cia (virus)
• C:\WINDOWS\SYSTEM32\wmrmfhnx.dll.bak (Renamed & Submitted)
• C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP85\A0017094.dll (Renamed & Submitted)
• C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP84\A0016099.dll (Renamed & Submitted)
• C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP83\A0016058.dll (Renamed & Submitted)
Trojan-Dropper.Win32.Agent.cie (virus)
• C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP91\A0028484.dll (Renamed & Submitted)
Trojan-Dropper.Win32.Agent.cig (virus)
• C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP67\A0006881.dll (Renamed & Submitted)
Trojan-PSW.Win32.Nilage.bsz (virus)
• C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP91\A0027406.dll (Renamed & Submitted)
Trojan.Win32.Agent.bsj (virus)
• C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP78\A0015681.dll (Renamed & Submitted)
Trojan.Win32.Agent.bth (virus)
• C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP71\A0007952.dll (Renamed & Submitted)
Trojan.Win32.Agent.cho (virus)
• C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0004333.dll (Renamed & Submitted)
Trojan.Win32.Agent.cid (virus)
• C:\qoobox\Quarantine\catchme2007-10-21_203239.62.zip\snkwevbj.dat
Trojan.Win32.Delf.agw (virus)
• C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP78\A0015683.dll (Renamed)
Trojan.Win32.Delf.ajz (virus)
• C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0004337.dll (Renamed)
VX2 (spyware)
• System (Disinfected)
W32/BHO.QG (virus)
• C:\WINDOWS\SYSTEM32\daqchlas.dll (Submitted)
• C:\WINDOWS\SYSTEM32\daqchlas.dll.bak (Submitted)
• C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP86\A0018172.dll (Submitted)
• C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP85\A0017108.dll (Submitted)
• C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP84\A0016097.dll (Submitted)
• C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP84\A0016101.dll
• C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP78\A0015677.dll (Submitted)
• C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP77\A0013851.dll (Submitted)
• C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP77\A0013852.dll (Submitted)
• C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP77\A0013853.dll (Submitted)
• C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP71\A0007951.dll (Submitted)
• C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP71\A0007953.dll (Submitted)
• C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP67\A0006880.dll (Submitted)
• C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP67\A0006883.dll (Submitted)
• C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP39\A0005524.dll (Submitted)
• C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP39\A0005525.dll (Submitted)
• C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0004331.dll (Submitted)
• C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0004332.dll
• C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0004334.dll (Submitted)
• C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0004335.dll (Submitted)
• C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP17\A0003292.dll (Submitted)
________________________________________
Statistics
Scanned:
• Files: 444838
• System: 9628
• Not scanned: 74
Actions:
• Disinfected: 2
• Renamed: 38
• Deleted: 0
• None: 43
• Submitted: 60
Files not scanned:
`? kU IBERFIL.SYS
• C:\PAGEFILE.SYS
• C:\_OTMOVEIT\MOVEDFILES\PROGRAM FILES\EBATES__MOEMONEY__MAKER\EBMMD\F458EC77572C0.DAT
• C:\WINDOWS\SYSTEM32\BIOS1.ROM
• C:\WINDOWS\SYSTEM32\DRPMON.DLL.REN
• C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
• C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
• C:\WINDOWS\SYSTEM32\CONFIG\SAM
• C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
• C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
• C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
• C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.TMP.LOG
• C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
• C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
• C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
• C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
• C:\WINDOWS\SYSTEM32\CATROOT2\EDB.LOG
• C:\WINDOWS\SYSTEM32\CATROOT2\TMP.EDB
• C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{402C2E00-F7A5-4773-B4AB-BD0DC1C8C469}.BIN
• C:\WINDOWS\.FILE_STORE_32\MAIN_FILE_CACHE.DAT
• C:\WINDOWS\.FILE_STORE_32\RUNESCAPE\MAIN_FILE_CACHE.DAT2
• C:\WINDOWS\$NTUNINSTALLKB835732$\CALLCONT.DLL
• C:\WINDOWS\$NTUNINSTALLKB835732$\RTCDLL.DLL
• C:\WINDOWS\$NTUNINSTALLKB833407$\KB833407.CAT
• C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP92\A0030540.EXE
• C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP77\A0013820.PNF
• C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP77\A0013825.PNF
• C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP77\A0013826.PNF
• C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP77\A0013827.PNF
• C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP77\A0013828.PNF
• C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP77\A0013831.PNF
• C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP77\A0013833.PNF
• C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP7\A0002549.DLL
• C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP7\A0002550.DLL
• C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP7\A0002551.DLL
• C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP7\A0002552.DLL
• C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP7\A0002553.DLL
• C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP7\A0002554.DLL
• C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP7\A0002555.DLL
• C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP7\A0002556.DLL
• C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP7\A0002557.DLL
• C:\SYSTEM VOLUME INFORMATION\CATALOG.WCI\CIVP0000.001
• C:\SYSTEM VOLUME INFORMATION\CATALOG.WCI\CIVP0000.002
• C:\Program Files\winzip81.exe\SETUP.WZ\WINZIP32.EX_
• C:\PROGRAM FILES\GOLDPOCKET\BASEINSTALL5.ZIP
• C:\PROGRAM FILES\DELL\SUPPORT\UI\SEARCH\CATALOG.WCI\CIFLFFFC.001
• C:\PROGRAM FILES\DELL\SUPPORT\UI\SEARCH\CATALOG.WCI\CIFLFFFC.002
• C:\PROGRAM FILES\DELL\SUPPORT\UI\SEARCH\CATALOG.WCI\CISL0001.001
• C:\PROGRAM FILES\DELL\SUPPORT\UI\SEARCH\CATALOG.WCI\CISL0001.002
• C:\PROGRAM FILES\DELL\SUPPORT\UI\SEARCH\CATALOG.WCI\CIVP0000.001
• C:\PROGRAM FILES\DELL\SUPPORT\UI\SEARCH\CATALOG.WCI\CIVP0000.002
• C:\MY DOWNLOADS\NEWNET.EXE
• C:\matlab_sv13\java\jarext\mousewheel.jar\gui\JDialogFactory.class
• C:\I386\BIOS1.ROM
• C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\NTUSER.DAT
• C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
• C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\NTUSER.DAT
• C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
• C:\DOCUMENTS AND SETTINGS\DAD\NTUSER.DAT
• C:偭 W
________________________________________
Options
Scanning engines:
• F-Secure Libra: 2.4.2, 2007-10-24
• F-Secure AVP: 7.0.171, 2007-10-25
• F-Secure Orion: 1.2.37, 2007-10-25
• F-Secure Blacklight: 1.0.64
• F-Secure Draco: 1.0.35, 2007-10-15
• F-Secure Pegasus: 1.19.0, 2007-09-18
Scanning options:
• Scan all files
• Scan inside archives
• Use Advanced heuristics

The final report is HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:14:33 PM, on 10/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\dlbxcoms.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [dlbxmon.exe] "C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [DLBXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.turbotax.com
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.cox.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www3.authentium.com/cssrelease/bin/wizard.exe
O16 - DPF: {3BA3B159-7533-4F96-A2CE-EE5894BBD3D5} (Scanner.SysScanner) - http://i.dell.com/images/global/js/scanner/SYSSCANNER.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1179486030718
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DataWorx PLC (DataWorxPLC) - Inteworx.net - C:\Program Files\AutomationDirect\DataWorx PLC\DataWorxPLCServer.exe
O23 - Service: DataWorx WinPLC (DataWorxWinPLC) - Inteworx.net - C:\Program Files\AutomationDirect\DataWorx WinPLC\DataWorxWinPLCServer.exe
O23 - Service: dlbx_device - Dell - C:\WINDOWS\System32\dlbxcoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 7555 bytes


In advance, thank you.

Gowron29

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:13 AM

Posted 25 October 2007 - 08:37 PM

Download Avenger from the link below:
http://swandog46.geekstogo.com/avenger.zip
Unzip/extract it to your desktop.

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens,copy and paste ALL the following text inside the quote box below:

Files to delete:
C:\MY DOWNLOADS\NEWNET.EXE

Folders to delete:
C:\Program Files\Ebates__MoeMoney__Maker
C:\Program Files\Messenger\bak
C:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989
C:\Program Files\QuickTime\bak
C:\Program Files\SealedMedia\bak
C:\Program Files\ATI Technologies\ATI Control Panel\bak
C:\Program Files\Hewlett-Packard\HP Share-to-Web\bak
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak
C:\Program Files\Common Files\Dell\EUSW\bak
C:\Program Files\Common Files\Real\Update_OB\bak
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\bak
C:\Program Files\Java\jre1.5.0_06\bin\bak
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\bak

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt into your next reply.
Also post a new Hijackthis log.
Let me know how your pc is running now.
Posted Image
Posted Image

#11 gowron29

gowron29
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:13 AM

Posted 25 October 2007 - 09:42 PM

Richie,

Here is the Avenger log:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\tmhqbfnx

*******************

Script file located at: \??\C:\WINDOWS\kjpyfcxl.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\MY DOWNLOADS\NEWNET.EXE deleted successfully.


Folder C:\Program Files\Ebates__MoeMoney__Maker not found!
Deletion of folder C:\Program Files\Ebates__MoeMoney__Maker failed!

Could not process line:
C:\Program Files\Ebates__MoeMoney__Maker
Status: 0xc0000034



Folder C:\Program Files\Messenger\bak not found!
Deletion of folder C:\Program Files\Messenger\bak failed!

Could not process line:
C:\Program Files\Messenger\bak
Status: 0xc0000034



Folder C:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989 not found!
Deletion of folder C:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989 failed!

Could not process line:
C:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989
Status: 0xc0000034



Folder C:\Program Files\QuickTime\bak not found!
Deletion of folder C:\Program Files\QuickTime\bak failed!

Could not process line:
C:\Program Files\QuickTime\bak
Status: 0xc0000034



Folder C:\Program Files\SealedMedia\bak not found!
Deletion of folder C:\Program Files\SealedMedia\bak failed!

Could not process line:
C:\Program Files\SealedMedia\bak
Status: 0xc0000034



Folder C:\Program Files\ATI Technologies\ATI Control Panel\bak not found!
Deletion of folder C:\Program Files\ATI Technologies\ATI Control Panel\bak failed!

Could not process line:
C:\Program Files\ATI Technologies\ATI Control Panel\bak
Status: 0xc0000034



Folder C:\Program Files\Hewlett-Packard\HP Share-to-Web\bak not found!
Deletion of folder C:\Program Files\Hewlett-Packard\HP Share-to-Web\bak failed!

Could not process line:
C:\Program Files\Hewlett-Packard\HP Share-to-Web\bak
Status: 0xc0000034



Folder C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak not found!
Deletion of folder C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak failed!

Could not process line:
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak
Status: 0xc0000034



Folder C:\Program Files\Common Files\Dell\EUSW\bak not found!
Deletion of folder C:\Program Files\Common Files\Dell\EUSW\bak failed!

Could not process line:
C:\Program Files\Common Files\Dell\EUSW\bak
Status: 0xc0000034



Folder C:\Program Files\Common Files\Real\Update_OB\bak not found!
Deletion of folder C:\Program Files\Common Files\Real\Update_OB\bak failed!

Could not process line:
C:\Program Files\Common Files\Real\Update_OB\bak
Status: 0xc0000034



Folder C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\bak not found!
Deletion of folder C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\bak failed!

Could not process line:
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\bak
Status: 0xc0000034



Folder C:\Program Files\Java\jre1.5.0_06\bin\bak not found!
Deletion of folder C:\Program Files\Java\jre1.5.0_06\bin\bak failed!

Could not process line:
C:\Program Files\Java\jre1.5.0_06\bin\bak
Status: 0xc0000034



Folder C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\bak not found!
Deletion of folder C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\bak failed!

Could not process line:
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\bak
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

This the latest HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:39:19 PM, on 10/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\dlbxcoms.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\PROGRA~1\Crawler\Toolbar\CToolbar.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [dlbxmon.exe] "C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [DLBXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.turbotax.com
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.cox.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www3.authentium.com/cssrelease/bin/wizard.exe
O16 - DPF: {3BA3B159-7533-4F96-A2CE-EE5894BBD3D5} (Scanner.SysScanner) - http://i.dell.com/images/global/js/scanner/SYSSCANNER.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1179486030718
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DataWorx PLC (DataWorxPLC) - Inteworx.net - C:\Program Files\AutomationDirect\DataWorx PLC\DataWorxPLCServer.exe
O23 - Service: DataWorx WinPLC (DataWorxWinPLC) - Inteworx.net - C:\Program Files\AutomationDirect\DataWorx WinPLC\DataWorxWinPLCServer.exe
O23 - Service: dlbx_device - Dell - C:\WINDOWS\System32\dlbxcoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 7713 bytes


The computer is running faster than normal. It has not directed me to another web site whie on the Internet.

Gowron29

#12 gowron29

gowron29
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:13 AM

Posted 25 October 2007 - 09:54 PM

Richie,

When I logged onto my son's profile, TrendMicro recognized some changes. I reverted them back to normal.

Will this info help?

#13 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:13 AM

Posted 26 October 2007 - 04:35 AM

Great,your log is clean :thumbsup:
If all's ok,please do the following:

Click on Start/Run,copy and paste ComboFix /u into the 'Open:' space,then press Ok.

Posted Image

Please double-click OTMoveIt.exe to run it.
Click on the 'Cleanup' button Posted Image
When you do this a text file named cleanup.txt will be downloaded from the internet.
If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so.
When the 'Confirm' box appears click 'Yes'.
Restart your pc when prompted.


Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.
Click 'Exit' on the Main menu to close the program.


Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found in the links below,to help you prevent any possible future infections:

Simple and easy ways to keep your computer safe and secure on the Internet:
http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

How to prevent Malware by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users