Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Trojan Horse Dialer.28.a


  • This topic is locked This topic is locked
16 replies to this topic

#1 Priston

Priston

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:17 PM

Posted 14 October 2006 - 08:47 AM

UPDATE:

When I reboot the PC, after logging in as usual, I get a Spyware Guard message identifying a Brower Helper Object (BHO) is being added to Internet Explorer, with the following info:

BHO id {91B2B74C-8732-4C17-84EE-60A553D5B0A5}
Prog Id n/a
file: c:\windows\system32\vturr.dll

It asks me whether I wish to Keep or Remove, when I try Remove the message just repeats, so eventually I have to say Keep.

I also get a Internet Explorer dialogue inviting me to use Spyware Removal Wizard which I delete using Task Manager.
-----------------------------------------------

I have a persistent infection of Trojan horse Dialer.28.A, originally detected by AVG. I have AVG Resident Shield switched on, and so get persistent prompts to move the infected file to the AVG Virus Vault, (which is what I do.)

I don't know if this is connected, but I also get (1) occasional dialogue box entitled "Work Offline" implying my Internet Connection is down (2) browser redirects to various web-sites including one advertising Win Antivirus Pro 2006 and dialogue boxes invoking System Integrity Scan Wizard (which I terminate via Task Manager).

I have followed your instructions as follows:
- clean out temp files

- scan with Ad-aware and Spybot
Ad-aware keeps showing clean and then new items which are tracking cookies
I installed Spybot v1.4 and ran this. However when I activated TeaTimer when it detected issues the Allow/Deny buttons were merged on screen making it unuseable - an Internet search revealed this was a known error so I deactivated Tea Timer and installed Spyware Guard instead.

- scan with Housecall Anti Virus
Zone Alarm told me that Internet Explorer was trying to act as a Server - it didnt seem to work without this so I allowed this

- scan with Panda Antivirus
I did this, the Active Scan showed a number of items but I was unable to work out how to invoke the fixing without paying for it - I did not do this as I was reluctant to type in payment details on a computer potentialluy infected with a Trojan.

- scan with Bit Defender - this detected 7 viruses and 13 files - it claimed to have deleted 12 - it said I was still infected - I have the report if this is useful.

scan with AVG, which claims to fix the TJH-D-28A infection (although it clearly doesn't)

-scan with McAfee Stinger
reported no problems

- enable firewall
I had the XP firewall running but have now installed Zone Alarm

- use Windows Update
no critical updates outstanding

Your assistance would be greatly appreciated. I attach my Hijack This Log below

Logfile of HijackThis v1.99.1
Scan saved at 14:00:58, on 14/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\{DCD6615C-0A64-1033-0830-06061606002c}\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office 97\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office 97\Office\MSOFFICE.EXE
C:\Program Files\Microsoft Office 97\Office\OSA.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=0061005
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.co.uk/hws/sb/dell-usuk/e...html?channel=uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.euro.dell.com/content/default....;l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/default....;l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.co.uk/hws/sb/dell-usuk/e...html?channel=uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=0061005
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O3 - Toolbar: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [pdhvzdd.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\pdhvzdd.dll,envjqhc
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office 97\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office 97\Office\MSOFFICE.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office 97\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - C:\Program Files\Tiscali\Tiscali Internet\dlls\tiscalifilter.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Edited by Priston, 14 October 2006 - 09:18 AM.


BC AdBot (Login to Remove)

 


m

#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:17 PM

Posted 14 October 2006 - 10:33 AM

Hello there and welcome to Bleeping Computer's security forum.
My name is David, I will be helping you with your log today.

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

Click on start, then control panel, and then double-click on add/remove programs.
From within add/remove program uninstall the following if they exist by double-clicking on the following entries:

IpWins

I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer during HijackThis Cleanup
Then, Download ResetTeaTimer.bat.
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

I do not recommend that you have more than one anti virus product installed and running on your computer at a time.
The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to create "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause false alarms - When the anti virus software tells you that your PC has a virus when it actually doesn't. Also it can cause system performance problems; your system may lock up due to both software products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either AVG or Norton.
If you remove Mcafee please understand you will have to install a new firewall as the mcafee one will have been uninstalled also.

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O3 - Toolbar: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\Run: [pdhvzdd.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\pdhvzdd.dll,envjqhc


Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Go to the folder where Hijackthis is kept and rename the hijackthis application to "showme".
This can be done by right clicking on the program and clicking "rename".
Press enter, then open "showme.exe" by double clicking.
Post a new Hijackthis log from the newly named application.

Please download VundoFix.exe to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove.
VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

David

#3 Priston

Priston
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:17 PM

Posted 15 October 2006 - 03:08 AM

David

Thanks very much for your quick reply - I am very impressed by the way in which individuals are prepared to help others in this way!

I have implemented your suggestions, and the good news is that I now appear to be almost back to normal. However on rebooting the system, and after logging in to my normal user, I get the following message:

"error loading c:\windows\system32\jgpqiam.dll". I note this file was deleted by VundoFix.exe - is it important??? I have not yet noticed any impact on running

Some detailed points plus the logs you requested:

-IpWins was NOT present in the Control Panel_Add/Remove Programs list

-Teatimer disable
I did this
I also disabled Spyware Guard while I was implementing your actions

-Remove AVG/Norton
McAfee was originally present on the PC (which is only one week old), but I had already uninstalled it as AVG does a good job and is free.)

-start Hijackthis and delete R0,O3,O4,O4 items
all items were present and were deleted

-rename Hijack This as Showme and run report
Done, see FIRST HIJACK LOG below

-Download/run VundoFix and provide Hijack This log
done, see VUNDOFIX LOG below
note this was done in a normal session ie not SAFE mode
VundoFix requested a reboot, but did not appear to run again on reload
"error loading c:\windows\system32\jgpqiam.dll" received after login
ran Hijack This - see POST-FIX LOG

- Subsequent actions
since then I have rebooted. I ran AVG, which just detected and deleted one virus Trojan Horse Generic2.ENZ. I have run Adaware which revealed and deleted 6 Tracking Cookies - IE Cache - Data Miner. I ran Spybot which reported no items.

I have used the Internet a bit and not had any reoccurance of virus prompts from AVG. I have kept Spybot disabled but have restored SpyGuard Ware - this did give me one message re BHO and vturr.dll similar to the one I reported previously, but I was able to "Remove" and have had no reoccurence with a number of reboots. Is this the right action to take ie is vturr.dll trying to do something malicious???

I have since run Hijack This (still renamed as Showme) - see FINAL LOG below

see LOGs below

FIRST LOG (taken by Showme after removal of 4 items R0,O3,O4x2)
---------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 19:32:35, on 14/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\{DCD6615C-0A64-1033-0830-06061606002c}\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft Office 97\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office 97\Office\MSOFFICE.EXE
C:\Program Files\Microsoft Office 97\Office\OSA.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\showme.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=0061005
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.co.uk/hws/sb/dell-usuk/e...html?channel=uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.euro.dell.com/content/default....;l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/default....;l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.co.uk/hws/sb/dell-usuk/e...html?channel=uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=0061005
O2 - BHO: (no name) - {0475CFFC-1A7C-49C0-AE92-85F7E9320BBE} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0E24427B-DF2A-40EB-980B-A819F5FF3DD0} - C:\WINDOWS\system32\gebxvvs.dll
O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - C:\WINDOWS\system32\bmaguwrq.dll
O2 - BHO: (no name) - {30CFD16B-BD2B-4DA0-8048-BB2E5417A423} - C:\WINDOWS\system32\vturr.dll
O2 - BHO: (no name) - {33BD9807-E254-7B76-E790-0383F35DD339} - C:\WINDOWS\system32\bmdqzgg.dll
O2 - BHO: (no name) - {379936D4-60B6-42D9-8662-782743CE8C66} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {734BE93A-B331-43AF-9AFF-3C5D1E1108EC} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: (no name) - {D3DA2888-28E2-43CB-8357-10052451F5D1} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [jgpqiam.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\jgpqiam.dll,hdjdknc
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office 97\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office 97\Office\MSOFFICE.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office 97\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - C:\Program Files\Tiscali\Tiscali Internet\dlls\tiscalifilter.dll
O20 - Winlogon Notify: gebxvvs - C:\WINDOWS\SYSTEM32\gebxvvs.dll
O20 - Winlogon Notify: vturr - C:\WINDOWS\system32\vturr.dll
O20 - Winlogon Notify: winmbj32 - C:\WINDOWS\SYSTEM32\winmbj32.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

VUNDOFIX LOG
----------------------------------------------------------------------

VundoFix V6.2.2

Checking Java version...

Java version is 1.5.0.6

Scan started at 19:35:30 14/10/2006

Listing files found while scanning....

C:\WINDOWS\system32\bmaguwrq.dll
C:\WINDOWS\system32\bmdqzgg.dll
C:\WINDOWS\system32\gebxvvs.dll
C:\WINDOWS\system32\jgpqiam.dll
C:\WINDOWS\system32\winmbj32.dll
C:\WINDOWS\system32\xjzwazg.dll
C:\WINDOWS\system32\yayayvt.dll
C:\WINDOWS\system32\ygujnqdg.exe
C:\WINDOWS\system32\vturr.dll
C:\WINDOWS\system32\rrutv.ini
C:\WINDOWS\system32\rrutv.bak1
C:\WINDOWS\system32\rrutv.bak2

Beginning removal...

Attempting to delete C:\WINDOWS\system32\bmaguwrq.dll
C:\WINDOWS\system32\bmaguwrq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\bmdqzgg.dll
C:\WINDOWS\system32\bmdqzgg.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\gebxvvs.dll
C:\WINDOWS\system32\gebxvvs.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jgpqiam.dll
C:\WINDOWS\system32\jgpqiam.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\winmbj32.dll
C:\WINDOWS\system32\winmbj32.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xjzwazg.dll
C:\WINDOWS\system32\xjzwazg.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yayayvt.dll
C:\WINDOWS\system32\yayayvt.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ygujnqdg.exe
C:\WINDOWS\system32\ygujnqdg.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\vturr.dll
C:\WINDOWS\system32\vturr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rrutv.ini
C:\WINDOWS\system32\rrutv.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\rrutv.bak1
C:\WINDOWS\system32\rrutv.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\rrutv.bak2
C:\WINDOWS\system32\rrutv.bak2 Has been deleted!

Performing Repairs to the registry.
Done!

POSTFIX LOG (from HIJACK THIS after VUNDOFIX run)
-----------------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 00:12:50, on 15/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\{DCD6615C-0A64-1033-0830-06061606002c}\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office 97\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office 97\Office\MSOFFICE.EXE
C:\Program Files\Microsoft Office 97\Office\OSA.EXE
C:\Program Files\SpywareGuard\sgmain.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Program Files\HijackThis\showme.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=0061005
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.co.uk/hws/sb/dell-usuk/e...html?channel=uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.euro.dell.com/content/default....;l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/default....;l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.co.uk/hws/sb/dell-usuk/e...html?channel=uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=0061005
O2 - BHO: (no name) - {0475CFFC-1A7C-49C0-AE92-85F7E9320BBE} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0E24427B-DF2A-40EB-980B-A819F5FF3DD0} - C:\WINDOWS\system32\gebxvvs.dll (file missing)
O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - C:\WINDOWS\system32\bmaguwrq.dll (file missing)
O2 - BHO: (no name) - {30CFD16B-BD2B-4DA0-8048-BB2E5417A423} - C:\WINDOWS\system32\vturr.dll (file missing)
O2 - BHO: (no name) - {33BD9807-E254-7B76-E790-0383F35DD339} - C:\WINDOWS\system32\bmdqzgg.dll (file missing)
O2 - BHO: (no name) - {379936D4-60B6-42D9-8662-782743CE8C66} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {734BE93A-B331-43AF-9AFF-3C5D1E1108EC} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: (no name) - {D3DA2888-28E2-43CB-8357-10052451F5D1} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [jgpqiam.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\jgpqiam.dll,hdjdknc
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office 97\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office 97\Office\MSOFFICE.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office 97\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - C:\Program Files\Tiscali\Tiscali Internet\dlls\tiscalifilter.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


FINAL LOG (run with Showme, with Zone Alarm, AVG, SpyGuard enabled, Spybot Teatimer disabled)
------------------------------------------------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 08:21:17, on 15/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\{DCD6615C-0A64-1033-0830-06061606002c}\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office 97\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office 97\Office\MSOFFICE.EXE
C:\Program Files\Microsoft Office 97\Office\OSA.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\HijackThis\showme.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=0061005
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.co.uk/hws/sb/dell-usuk/e...html?channel=uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.euro.dell.com/content/default....;l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/default....;l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.co.uk/hws/sb/dell-usuk/e...html?channel=uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=0061005
O2 - BHO: (no name) - {0475CFFC-1A7C-49C0-AE92-85F7E9320BBE} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0E24427B-DF2A-40EB-980B-A819F5FF3DD0} - C:\WINDOWS\system32\gebxvvs.dll (file missing)
O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - C:\WINDOWS\system32\bmaguwrq.dll (file missing)
O2 - BHO: (no name) - {33BD9807-E254-7B76-E790-0383F35DD339} - C:\WINDOWS\system32\bmdqzgg.dll (file missing)
O2 - BHO: (no name) - {379936D4-60B6-42D9-8662-782743CE8C66} - (no file)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {734BE93A-B331-43AF-9AFF-3C5D1E1108EC} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: (no name) - {D3DA2888-28E2-43CB-8357-10052451F5D1} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [jgpqiam.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\jgpqiam.dll,hdjdknc
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office 97\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office 97\Office\MSOFFICE.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office 97\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - C:\Program Files\Tiscali\Tiscali Internet\dlls\tiscalifilter.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:17 PM

Posted 15 October 2006 - 05:45 AM

Hey there and thanks for the detailed responses.
Everything is going to plan, we just need to do a bit more here.
Hopefully the erro on startup should go after the following instructions.

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

O2 - BHO: (no name) - {0475CFFC-1A7C-49C0-AE92-85F7E9320BBE} - (no file)
O2 - BHO: (no name) - {0E24427B-DF2A-40EB-980B-A819F5FF3DD0} - C:\WINDOWS\system32\gebxvvs.dll (file missing)
O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - C:\WINDOWS\system32\bmaguwrq.dll (file missing)
O2 - BHO: (no name) - {33BD9807-E254-7B76-E790-0383F35DD339} - C:\WINDOWS\system32\bmdqzgg.dll (file missing)
O2 - BHO: (no name) - {379936D4-60B6-42D9-8662-782743CE8C66} - (no file)
O2 - BHO: (no name) - {734BE93A-B331-43AF-9AFF-3C5D1E1108EC} - (no file)
O2 - BHO: (no name) - {D3DA2888-28E2-43CB-8357-10052451F5D1} - (no file)
O4 - HKLM\..\Run: [jgpqiam.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\jgpqiam.dll,hdjdknc


Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Open hijackthis, click 'config' (bottom right)
Choose the tab 'misc Tools' on top.
Choose 'delete a file on reboot'
In the field, copy and paste next:

C:\WINDOWS\system32\jgpqiam.dll

Click open.
Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now.
When asked if you want to reboot now, say Yes.

Please perform this online scan: Kaspersky Webscan

1. Read the Requirements and Privacy statement, then select "Accept"
2. A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
3. Select "Install" to download the ActiveX controls that allows ActiveScan to run.
4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"
5. When the download is complete it will say ready, click "Next"
6. Select a target to scan: Click on "My Computer"
7. When the scan is complete choose to save the results as "Save as Text"
8. Post the Kaspersky scan results in your next reply, along with a new Hijackthis log.

David

#5 Priston

Priston
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:17 PM

Posted 15 October 2006 - 07:30 AM

Thanks again for your email, David

Feedback below, I look forward to your reply:

Note Zonealarm, Spyware Guard enabled throughout, Teatime disabled

- Delete items with HJT
all items were present and were deleted

- Delete file jgpqiam.dll on reboot
done
NO error message "error loading file jgpqiam.dll" received on logging in

- Kaspersky scan
done, items reported, log included below

- Hijack This log
done, included below


KASPERSKY RESULTS
-------------------------------------------------

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, October 15, 2006 1:12:07 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 15/10/2006
Kaspersky Anti-Virus database records: 218581
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 50923
Number of viruses found: 8
Number of infected objects: 25 / 0
Number of suspicious objects: 2
Duration of the scan process: 00:24:12

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\WDLog-10092006-235134.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC12.zip/ishost.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC12.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\Hannah\Application Data\Corel\Paint Shop Pro\10\Cache\CMD.PspCache Object is locked skipped
C:\Documents and Settings\Hannah\Application Data\desktop.ini Object is locked skipped
C:\Documents and Settings\Hannah\Application Data\Gtek\gtny\gtuser.cfg Object is locked skipped
C:\Documents and Settings\Hannah\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\AUAgent.exc Object is locked skipped
C:\Documents and Settings\Hannah\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\AUCommon.cfg Object is locked skipped
C:\Documents and Settings\Hannah\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt.log Object is locked skipped
C:\Documents and Settings\Hannah\Application Data\Microsoft\CLR Security Config\v1.1.4322\security.config Object is locked skipped
C:\Documents and Settings\Hannah\Application Data\Microsoft\CLR Security Config\v1.1.4322\security.config.cch Object is locked skipped
C:\Documents and Settings\Hannah\Application Data\Microsoft\Internet Explorer\brndlog.bak Object is locked skipped
C:\Documents and Settings\Hannah\Application Data\Microsoft\Internet Explorer\brndlog.txt Object is locked skipped
C:\Documents and Settings\Hannah\Application Data\Microsoft\Internet Explorer\Desktop.htt Object is locked skipped
C:\Documents and Settings\Hannah\Application Data\Microsoft\Internet Explorer\Quick Launch\AOL 9.0.lnk Object is locked skipped
C:\Documents and Settings\Hannah\Application Data\Microsoft\Internet Explorer\Quick Launch\Corel Paint Shop Pro X.lnk Object is locked skipped
C:\Documents and Settings\Hannah\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini Object is locked skipped
C:\Documents and Settings\Hannah\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk Object is locked skipped
C:\Documents and Settings\Hannah\Application Data\Microsoft\Internet Explorer\Quick Launch\QuickTime Player.lnk Object is locked skipped
C:\Documents and Settings\Hannah\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf Object is locked skipped
C:\Documents and Settings\Hannah\Application Data\Microsoft\Protect\CREDHIST Object is locked skipped
C:\Documents and Settings\Hannah\Application Data\Microsoft\Protect\S-1-5-21-1698933516-4221860169-1340153857-1003\755b6b81-262b-477b-8c03-6052198e2574 Object is locked skipped
C:\Documents and Settings\Hannah\Application Data\Microsoft\Protect\S-1-5-21-1698933516-4221860169-1340153857-1003\Preferred Object is locked skipped
C:\Documents and Settings\Hannah\Application Data\Microsoft\Windows\Themes\Custom.theme Object is locked skipped
C:\Documents and Settings\Hannah\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Hannah\Desktop\Spyware Protection from AOL.lnk Object is locked skipped
C:\Documents and Settings\Hannah\Desktop\Windows Media Player.lnk Object is locked skipped
C:\Documents and Settings\Hannah\Favorites\Dell\Dell.url Object is locked skipped
C:\Documents and Settings\Hannah\Favorites\Dell\Support.Dell.Com.url Object is locked skipped
C:\Documents and Settings\Hannah\Favorites\Desktop.ini Object is locked skipped
C:\Documents and Settings\Hannah\Favorites\Links\Customize Links.url Object is locked skipped
C:\Documents and Settings\Hannah\Favorites\Links\Free Hotmail.url Object is locked skipped
C:\Documents and Settings\Hannah\Favorites\Links\RealPlayer.url Object is locked skipped
C:\Documents and Settings\Hannah\Favorites\Links\Windows Marketplace.url Object is locked skipped
C:\Documents and Settings\Hannah\Favorites\Links\Windows Media.url Object is locked skipped
C:\Documents and Settings\Hannah\Favorites\Links\Windows.url Object is locked skipped
C:\Documents and Settings\Hannah\Favorites\Media\Real.com Radio Tuner.url Object is locked skipped
C:\Documents and Settings\Hannah\Favorites\MSN.com.url Object is locked skipped
C:\Documents and Settings\Hannah\Favorites\Radio Station Guide.url Object is locked skipped
C:\Documents and Settings\Hannah\Favorites\RealPlayer Home Page.url Object is locked skipped
C:\Documents and Settings\Hannah\Local Settings\Application Data\ApplicationHistory\MSI4D.tmp.75ebf30a.ini Object is locked skipped
C:\Documents and Settings\Hannah\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini Object is locked skipped
C:\Documents and Settings\Hannah\Local Settings\Application Data\ApplicationHistory\OOBEINIT.exe.385e8e6d.ini Object is locked skipped
C:\Documents and Settings\Hannah\Local Settings\Application Data\ApplicationHistory\SL30.tmp.a406a4be.ini Object is locked skipped
C:\Documents and Settings\Hannah\Local Settings\Application Data\GDIPFONTCACHEV1.DAT Object is locked skipped
C:\Documents and Settings\Hannah\Local Settings\Application Data\IconCache.db Object is locked skipped
C:\Documents and Settings\Hannah\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped
C:\Documents and Settings\Hannah\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_59R.wmdb Object is locked skipped
C:\Documents and Settings\Hannah\Local Settings\Application Data\Microsoft\Wallpaper1.bmp Object is locked skipped
C:\Documents and Settings\Hannah\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Hannah\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Hannah\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNS.DTD Object is locked skipped
C:\Documents and Settings\Hannah\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNS.XML Object is locked skipped
C:\Documents and Settings\Hannah\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.DTD Object is locked skipped
C:\Documents and Settings\Hannah\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.XML Object is locked skipped
C:\Documents and Settings\Hannah\Local Settings\Application Data\Microsoft\Works\Portfolio\wsbsamp.wsb Object is locked skipped
C:\Documents and Settings\Hannah\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150060}\1033.MST Object is locked skipped
C:\Documents and Settings\Hannah\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150060}\J2SE Runtime Environment 5.0 Update 6.msi Object is locked skipped
C:\Documents and Settings\Hannah\Local Settings\desktop.ini Object is locked skipped
C:\Documents and Settings\Hannah\Local Settings\History\desktop.ini Object is locked skipped
C:\Documents and Settings\Hannah\Local Settings\History\History.IE5\desktop.ini Object is locked skipped
C:\Documents and Settings\Hannah\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Hannah\Local Settings\History\History.IE5\MSHist012006101020061011\index.dat Object is locked skipped
C:\Documents and Settings\Hannah\Local Settings\Temp\BEB71B81.TMP Object is locked skipped
C:\Documents and Settings\Hannah\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini Object is locked skipped
C:\Documents and Settings\Hannah\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Hannah\Local Settings\Temporary Internet Files\desktop.ini Object is locked skipped
C:\Documents and Settings\Hannah\My Documents\desktop.ini Object is locked skipped
C:\Documents and Settings\Hannah\My Documents\My Music\Corel Sample Music\Classical Interlude 1.mp3 Object is locked skipped
C:\Documents and Settings\Hannah\My Documents\My Music\Corel Sample Music\Jazz Groove.mp3 Object is locked skipped
C:\Documents and Settings\Hannah\My Documents\My Music\Corel Sample Music\Piano Blues 1.mp3 Object is locked skipped
C:\Documents and Settings\Hannah\My Documents\My Music\Desktop.ini Object is locked skipped
C:\Documents and Settings\Hannah\My Documents\My Music\Sample Music.lnk Object is locked skipped
C:\Documents and Settings\Hannah\My Documents\My Pictures\Desktop.ini Object is locked skipped
C:\Documents and Settings\Hannah\My Documents\My Pictures\Sample Pictures.lnk Object is locked skipped
C:\Documents and Settings\Hannah\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Hannah\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Hannah\ntuser.ini Object is locked skipped
C:\Documents and Settings\Hannah\Recent\Desktop.ini Object is locked skipped
C:\Documents and Settings\Hannah\SendTo\Compressed (zipped) Folder.ZFSendToTarget Object is locked skipped
C:\Documents and Settings\Hannah\SendTo\Desktop (create shortcut).DeskLink Object is locked skipped
C:\Documents and Settings\Hannah\SendTo\desktop.ini Object is locked skipped
C:\Documents and Settings\Hannah\SendTo\Mail Recipient.MAPIMail Object is locked skipped
C:\Documents and Settings\Hannah\SendTo\My Documents.mydocs Object is locked skipped
C:\Documents and Settings\Hannah\Start Menu\desktop.ini Object is locked skipped
C:\Documents and Settings\Hannah\Start Menu\Programs\Accessories\Accessibility\desktop.ini Object is locked skipped
C:\Documents and Settings\Hannah\Start Menu\Programs\Accessories\Accessibility\Magnifier.lnk Object is locked skipped
C:\Documents and Settings\Hannah\Start Menu\Programs\Accessories\Accessibility\Narrator.lnk Object is locked skipped
C:\Documents and Settings\Hannah\Start Menu\Programs\Accessories\Accessibility\On-Screen Keyboard.lnk Object is locked skipped
C:\Documents and Settings\Hannah\Start Menu\Programs\Accessories\Accessibility\Utility Manager.lnk Object is locked skipped
C:\Documents and Settings\Hannah\Start Menu\Programs\Accessories\Address Book.lnk Object is locked skipped
C:\Documents and Settings\Hannah\Start Menu\Programs\Accessories\Command Prompt.lnk Object is locked skipped
C:\Documents and Settings\Hannah\Start Menu\Programs\Accessories\desktop.ini Object is locked skipped
C:\Documents and Settings\Hannah\Start Menu\Programs\Accessories\Entertainment\desktop.ini Object is locked skipped
C:\Documents and Settings\Hannah\Start Menu\Programs\Accessories\Entertainment\RealPlayer.lnk Object is locked skipped
C:\Documents and Settings\Hannah\Start Menu\Programs\Accessories\Entertainment\Windows Media Player.lnk Object is locked skipped
C:\Documents and Settings\Hannah\Start Menu\Programs\Accessories\Notepad.lnk Object is locked skipped
C:\Documents and Settings\Hannah\Start Menu\Programs\Accessories\Program Compatibility Wizard.lnk Object is locked skipped
C:\Documents and Settings\Hannah\Start Menu\Programs\Accessories\Synchronize.lnk Object is locked skipped
C:\Documents and Settings\Hannah\Start Menu\Programs\Accessories\Tour Windows XP.lnk Object is locked skipped
C:\Documents and Settings\Hannah\Start Menu\Programs\Accessories\Windows Explorer.lnk Object is locked skipped
C:\Documents and Settings\Hannah\Start Menu\Programs\Dell\Phone Support.lnk Object is locked skipped
C:\Documents and Settings\Hannah\Start Menu\Programs\desktop.ini Object is locked skipped
C:\Documents and Settings\Hannah\Start Menu\Programs\Internet Explorer.lnk Object is locked skipped
C:\Documents and Settings\Hannah\Start Menu\Programs\Outlook Express.lnk Object is locked skipped
C:\Documents and Settings\Hannah\Start Menu\Programs\Remote Assistance.lnk Object is locked skipped
C:\Documents and Settings\Hannah\Start Menu\Programs\Startup\desktop.ini Object is locked skipped
C:\Documents and Settings\Hannah\Start Menu\Programs\Windows Media Player.lnk Object is locked skipped
C:\Documents and Settings\Hannah\Templates\amipro.sam Object is locked skipped
C:\Documents and Settings\Hannah\Templates\excel.xls Object is locked skipped
C:\Documents and Settings\Hannah\Templates\excel4.xls Object is locked skipped
C:\Documents and Settings\Hannah\Templates\lotus.wk4 Object is locked skipped
C:\Documents and Settings\Hannah\Templates\powerpnt.ppt Object is locked skipped
C:\Documents and Settings\Hannah\Templates\presenta.shw Object is locked skipped
C:\Documents and Settings\Hannah\Templates\quattro.wb2 Object is locked skipped
C:\Documents and Settings\Hannah\Templates\sndrec.wav Object is locked skipped
C:\Documents and Settings\Hannah\Templates\winword.doc Object is locked skipped
C:\Documents and Settings\Hannah\Templates\winword2.doc Object is locked skipped
C:\Documents and Settings\Hannah\Templates\wordpfct.wpd Object is locked skipped
C:\Documents and Settings\Hannah\Templates\wordpfct.wpg Object is locked skipped
C:\Documents and Settings\Hannah\TRANSFORMS=1033.mst Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Richard\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Richard\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Richard\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Richard\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{C97A5419-F90D-40E3-A189-5A5CA51D0641} Object is locked skipped
C:\Documents and Settings\Richard\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Richard\Local Settings\Temp\mst144.tmp Infected: Packed.Win32.Klone.g skipped
C:\Documents and Settings\Richard\Local Settings\Temp\mst150.tmp Infected: Packed.Win32.Klone.g skipped
C:\Documents and Settings\Richard\Local Settings\Temp\SysProtectScannerSetup.exe/Stream/data0001 Infected: Trojan-Downloader.Win32.Agent.aqh skipped
C:\Documents and Settings\Richard\Local Settings\Temp\SysProtectScannerSetup.exe/Stream Infected: Trojan-Downloader.Win32.Agent.aqh skipped
C:\Documents and Settings\Richard\Local Settings\Temp\SysProtectScannerSetup.exe Inno: infected - 2 skipped
C:\Documents and Settings\Richard\Local Settings\Temp\~DF4888.tmp Object is locked skipped
C:\Documents and Settings\Richard\Local Settings\Temp\~DF7C2C.tmp Object is locked skipped
C:\Documents and Settings\Richard\Local Settings\Temporary Internet Files\Content.IE5\D1Y1ZV1E\mulbin32[1].exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.dc skipped
C:\Documents and Settings\Richard\Local Settings\Temporary Internet Files\Content.IE5\D1Y1ZV1E\mulbin32[1].exe NSIS: infected - 1 skipped
C:\Documents and Settings\Richard\Local Settings\Temporary Internet Files\Content.IE5\D1Y1ZV1E\srvqsr[1].exe Infected: Trojan.Win32.Dialer.qs skipped
C:\Documents and Settings\Richard\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Richard\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Richard\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Richard\UserData\index.dat Object is locked skipped
C:\Program Files\Common Files\Yazzle1162OinAdmin.exe Infected: Trojan-Downloader.Win32.PurityScan.dc skipped
C:\RECYCLER\S-1-5-21-1698933516-4221860169-1340153857-1006\Dc2.exe/stream/data0002 Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\RECYCLER\S-1-5-21-1698933516-4221860169-1340153857-1006\Dc2.exe/stream Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\RECYCLER\S-1-5-21-1698933516-4221860169-1340153857-1006\Dc2.exe NSIS: infected - 2 skipped
C:\RECYCLER\S-1-5-21-1698933516-4221860169-1340153857-1006\Dc4.exe/stream/data0002 Infected: Trojan-Downloader.Win32.Qoologic.at skipped
C:\RECYCLER\S-1-5-21-1698933516-4221860169-1340153857-1006\Dc4.exe/stream Infected: Trojan-Downloader.Win32.Qoologic.at skipped
C:\RECYCLER\S-1-5-21-1698933516-4221860169-1340153857-1006\Dc4.exe NSIS: infected - 2 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\VundoFix Backups\bmaguwrq.dll.bad Infected: Trojan.Win32.BHO.g skipped
C:\VundoFix Backups\winmbj32.dll.bad Infected: Packed.Win32.Klone.g skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\DESKTOP.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{EAA303CC-85AC-4314-83AB-801743DA67FF}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\win21.tmp.exe Infected: Trojan.Win32.Dialer.qs skipped
C:\WINDOWS\Temp\win216.tmp.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.dc skipped
C:\WINDOWS\Temp\win216.tmp.exe NSIS: infected - 1 skipped
C:\WINDOWS\Temp\win230.tmp.exe Infected: Trojan.Win32.Dialer.qs skipped
C:\WINDOWS\Temp\win23F.tmp.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.dc skipped
C:\WINDOWS\Temp\win23F.tmp.exe NSIS: infected - 1 skipped
C:\WINDOWS\Temp\win24E.tmp.exe Infected: Trojan.Win32.Dialer.qs skipped
C:\WINDOWS\Temp\win544.tmp.exe Infected: Trojan.Win32.Dialer.qs skipped
C:\WINDOWS\Temp\ZLT056ef.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT056f2.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.


LATEST HIJACK THIS LOG
-------------------------------


Logfile of HijackThis v1.99.1
Scan saved at 13:17:58, on 15/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\{DCD6615C-0A64-1033-0830-06061606002c}\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Microsoft Office 97\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office 97\Office\MSOFFICE.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Microsoft Office 97\Office\OSA.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\showme.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=0061005
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.co.uk/hws/sb/dell-usuk/e...html?channel=uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.euro.dell.com/content/default....;l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/default....;l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.co.uk/hws/sb/dell-usuk/e...html?channel=uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=0061005
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office 97\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office 97\Office\MSOFFICE.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office 97\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...871/mcfscan.cab
O18 - Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - C:\Program Files\Tiscali\Tiscali Internet\dlls\tiscalifilter.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:17 PM

Posted 15 October 2006 - 08:32 AM

Hello there,
Thanks for the logs,

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.


Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

Using Windows Explorer, please locate the following files/folders, and delete them if still present:

C:\Program Files\Common Files\Yazzle1162OinAdmin.exe
C:\VundoFix Backups
C:\Program Files\Common Files\{DCD6615C-0A64-1033-0830-06061606002c}

Please empty your recycle bin.

I want you to clean your cache and cookies from your internet explorer.
There are a few infected files which need to be removed from your system.

° Close all instances of Internet Explorer .
° Go to your control panel and open "Internet Options".
° Click on the "General" tab.
° Click the "Delete Cookies" button, then the "Delete Files" button.
° When prompted, place a tick in the "Delete all offline content" box and click OK.

Also, please clean other Temporary files and Empty the Recycle Bin

° Go to start and click on the "run" button.
° Type the following in the fox --> cleanmgr and click ok.
° Let it scan your system for files to remove.
° Make sure only Temporary Files, Temporary Internet Files, and Recycle Bin are checked.
° Press OK to remove them.

Please reboot back to normal mode now.
Post a new Hijackthis log and let me know how the system is running.
David

#7 Priston

Priston
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:17 PM

Posted 15 October 2006 - 09:41 AM

David

Thanks for the latest.

Feedback below:

- Reboot in Safe Mode, delete files
Yazzle file NOT FOUND
Vundofixbackups, {DCD6615 etc} found and deleted

- Empty Recycle bin, Delete Internet cookies and files, Clean temp files, Empty recycle bin etc
Done

-Run cleanmgr
Done

- Reboot in Normal mode
Done, no messages, system seems to be operating OK

- run Hijack This Log
attached below

Logfile of HijackThis v1.99.1
Scan saved at 15:29:42, on 15/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Microsoft Office 97\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office 97\Office\MSOFFICE.EXE
C:\Program Files\Microsoft Office 97\Office\OSA.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\showme.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=0061005
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.co.uk/hws/sb/dell-usuk/e...html?channel=uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.euro.dell.com/content/default....;l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/default....;l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.co.uk/hws/sb/dell-usuk/e...html?channel=uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=0061005
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office 97\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office 97\Office\MSOFFICE.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office 97\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...871/mcfscan.cab
O18 - Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - C:\Program Files\Tiscali\Tiscali Internet\dlls\tiscalifilter.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:17 PM

Posted 15 October 2006 - 09:43 AM

Good work, it looks like the end is in sight here.
Please download Combofix to your desktop.
Doubleclick combo.exe to launch the application.
Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

#9 Priston

Priston
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:17 PM

Posted 15 October 2006 - 10:08 AM

Thanks again, David

Combofix and HJT logs attached, system appears to be working normally.

COMBOFIX
--------------------------

Richard - 06-10-15 15:56:18.90 Service Pack 2
ComboFix 06.10.14.1 - Running from: "C:\Documents and Settings\Richard\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\Common Files\Yazzle1162OinAdmin.exe
C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
C:\WINDOWS\system32\components
C:\Program Files\Common Files\{3CD6615C-0A64-1033-0830-06061606002c}


((((((((((((((((((((((((((((((( Files Created from 2006-09-15 to 2006-10-15 ))))))))))))))))))))))))))))))))))


2006-10-15 09:17 <DIR> d-------- C:\WINDOWS\McAfee.com
2006-10-14 08:22 93,696 --a------ C:\WINDOWS\system32\pdhvzdd.dll
2006-10-13 17:27 121,856 --------- C:\WINDOWS\system32\xmllite.dll
2006-10-13 11:03 176,167 --a------ C:\WINDOWS\system32\rmocx.dll
2006-10-12 13:31 39,936 --a------ C:\WINDOWS\KPSYS32.DLL
2006-10-12 13:31 32,768 --a------ C:\WINDOWS\system32\SQ1394.DLL
2006-10-12 13:31 284,672 --a------ C:\WINDOWS\SPROF32.DLL
2006-10-12 13:31 269,312 --a------ C:\WINDOWS\KDSINPUT.DLL
2006-10-12 13:31 22,528 --a------ C:\WINDOWS\PFPICK.DLL
2006-10-12 13:31 20,992 --a------ C:\WINDOWS\ICCCODES.DLL
2006-10-12 13:31 18,432 --a------ C:\WINDOWS\KCM2SP.DLL
2006-10-12 13:31 165,376 --a------ C:\WINDOWS\KPCP32.DLL
2006-10-12 13:31 155,648 --a------ C:\WINDOWS\system32\daspi32u.dll
2006-10-12 13:31 12,400 -ra------ C:\WINDOWS\system32\USBSCAN.SYS
2006-10-12 13:31 106,496 --a------ C:\WINDOWS\system32\SQ_SCAN.DLL
2006-10-12 13:31 106,496 --a------ C:\WINDOWS\system32\IO_PORT.DLL
2006-10-12 13:31 104,448 --a------ C:\WINDOWS\TWAIN32.DLL
2006-10-12 13:31 102,400 --a------ C:\WINDOWS\system32\FVC.DLL
2006-10-12 13:31 10,768 --a------ C:\WINDOWS\system32\drivers\SBP2SCAN.SYS
2006-10-12 13:31 10,624 --a------ C:\WINDOWS\system32\GENEUSB.SYS
2006-10-12 13:31 10,624 --a------ C:\WINDOWS\system32\drivers\GENEUSB.SYS
2006-10-12 13:31 1,674,752 --a------ C:\WINDOWS\KDSOUT.DLL
2006-10-12 12:18 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2006-10-12 12:15 94,208 --a------ C:\WINDOWS\system32\CNDCK189.dll
2006-10-12 12:15 40,960 --a------ C:\WINDOWS\system32\CNDNDlg.exe
2006-10-12 12:15 163,840 --a------ C:\WINDOWS\system32\CNDUK189.dll
2006-10-12 12:15 127,059 --a------ C:\WINDOWS\system32\DSLLK189.dll
2006-10-09 23:34 114,688 --a------ C:\WINDOWS\SeaMonkeyUninstall.exe
2006-10-09 23:34 114,688 --a------ C:\WINDOWS\GREUninstall.exe
2006-10-09 22:48 88 -r-hs---- C:\WINDOWS\system32\6A9F4A06CE.sys
2006-10-09 22:48 5,852 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2006-10-09 22:39 26,496 --a------ C:\WINDOWS\system32\drivers\USBSTOR.SYS
2006-10-09 21:26 778,656 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-10-09 21:26 4,992 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2006-10-09 21:26 4,288 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-10-09 21:26 27,904 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-10-09 21:26 23,104 --a------ C:\WINDOWS\system32\drivers\avgmfrs.sys
2006-10-09 19:27 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2006-10-09 19:05 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2006-10-09 19:05 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2006-10-09 19:05 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2006-10-05 00:04 94,263 --a------ C:\WINDOWS\DLA.EXE
2006-10-05 00:04 89,264 --a------ C:\WINDOWS\system32\drivers\DRVMCDB.SYS
2006-10-05 00:04 61,500 --a------ C:\WINDOWS\system32\DLAAPI_W.DLL
2006-10-05 00:04 5,628 --a------ C:\WINDOWS\system32\drivers\DLACDBHM.SYS
2006-10-05 00:04 40,544 --a------ C:\WINDOWS\system32\drivers\DRVNDDM.SYS
2006-10-05 00:04 22,684 --a------ C:\WINDOWS\system32\drivers\DLARTL_N.SYS
2006-10-05 00:02 86,016 --a------ C:\WINDOWS\unvise32qt.exe
2006-10-05 00:02 368,912 --a------ C:\WINDOWS\system32\vbar332.dll
2006-10-05 00:02 173,184 --a------ C:\WINDOWS\system32\ygpss.scr
2006-10-05 00:02 118,784 --a------ C:\WINDOWS\system32\Msstdfmt.dll
2006-10-05 00:02 102,400 --a------ C:\WINDOWS\system32\SimpleRegistry.dll
2006-10-05 00:02 10,752 --a------ C:\WINDOWS\system32\aamd532.dll
2006-10-05 00:01 8,552 --a------ C:\WINDOWS\system32\drivers\asctrm.sys
2006-10-05 00:01 54,784 --a------ C:\WINDOWS\system32\Inetwh32.dll
2006-10-05 00:01 1,044,480 --a------ C:\WINDOWS\system32\roboex32.dll
2006-10-04 23:59 712,704 --a------ C:\WINDOWS\system32\DellSystemRestore.dll
2006-10-04 23:57 126,976 --a------ C:\WINDOWS\system32\Imsmudlg.exe
2006-10-04 23:55 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2006-10-04 23:55 7,552 --a------ C:\WINDOWS\system32\drivers\MSKSSRV.sys
2006-10-04 23:55 60,800 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys
2006-10-04 23:55 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2006-10-04 23:55 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2006-10-04 23:55 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys
2006-10-04 23:55 52,864 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2006-10-04 23:55 5,376 --a------ C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2006-10-04 23:55 4,992 --a------ C:\WINDOWS\system32\drivers\MSPQM.sys
2006-10-04 23:55 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2006-10-04 23:55 282,624 --a------ C:\WINDOWS\stsystra.exe
2006-10-04 23:55 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2006-10-04 23:55 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2006-10-04 23:55 2,944 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys
2006-10-04 23:55 172,416 --a------ C:\WINDOWS\system32\drivers\kmixer.sys
2006-10-04 23:55 142,464 --a------ C:\WINDOWS\system32\drivers\aec.sys
2006-10-04 23:55 1,052,672 --a------ C:\WINDOWS\system32\stlang.dll
2006-10-04 23:54 28,672 --------- C:\WINDOWS\system32\verclsid.exe
2006-10-04 23:43 180,224 --a------ C:\WINDOWS\system32\nvudisp.exe
2006-10-04 23:38 985,088 --a------ C:\WINDOWS\system32\setupapi.dll
2006-10-04 23:38 90,112 --a------ C:\WINDOWS\system32\nvapi.dll
2006-10-04 23:38 86,016 --a------ C:\WINDOWS\system32\nvmctray.dll
2006-10-04 23:38 81,920 --a------ C:\WINDOWS\system32\nvwddi.dll
2006-10-04 23:38 7,323,648 --a------ C:\WINDOWS\system32\nvcpl.dll
2006-10-04 23:38 56,832 --a------ C:\WINDOWS\system32\NicEtCoE.dll
2006-10-04 23:38 5,398,528 --a------ C:\WINDOWS\system32\nvoglnt.dll
2006-10-04 23:38 49,152 --a------ C:\WINDOWS\setpwrcg.exe
2006-10-04 23:38 45,056 --a------ C:\WINDOWS\system32\nvmccsrs.dll
2006-10-04 23:38 35,328 --a------ C:\WINDOWS\system32\nvcodins.dll
2006-10-04 23:38 35,328 --a------ C:\WINDOWS\system32\nvcod.dll
2006-10-04 23:38 335,872 --a------ C:\WINDOWS\system32\nvwrses.dll
2006-10-04 23:38 327,680 --a------ C:\WINDOWS\system32\nvwrsfr.dll
2006-10-04 23:38 323,584 --a------ C:\WINDOWS\system32\nvwrsit.dll
2006-10-04 23:38 319,488 --a------ C:\WINDOWS\system32\nvwrsptb.dll
2006-10-04 23:38 319,488 --a------ C:\WINDOWS\system32\nvwrsnl.dll
2006-10-04 23:38 311,296 --a------ C:\WINDOWS\system32\nvwrsde.dll
2006-10-04 23:38 303,104 --a------ C:\WINDOWS\system32\nvwrsfi.dll
2006-10-04 23:38 299,008 --a------ C:\WINDOWS\system32\nvwrsno.dll
2006-10-04 23:38 294,912 --a------ C:\WINDOWS\system32\nvwrssv.dll
2006-10-04 23:38 294,912 --a------ C:\WINDOWS\system32\nvwrsda.dll
2006-10-04 23:38 278,528 --a------ C:\WINDOWS\system32\nvrsfr.dll
2006-10-04 23:38 274,432 --a------ C:\WINDOWS\system32\nvrsit.dll
2006-10-04 23:38 274,432 --a------ C:\WINDOWS\system32\nvrses.dll
2006-10-04 23:38 270,336 --a------ C:\WINDOWS\system32\nvrsde.dll
2006-10-04 23:38 266,240 --a------ C:\WINDOWS\system32\nvrsnl.dll
2006-10-04 23:38 262,144 --a------ C:\WINDOWS\system32\nvrsptb.dll
2006-10-04 23:38 262,144 --a------ C:\WINDOWS\system32\nvrsja.dll
2006-10-04 23:38 258,048 --a------ C:\WINDOWS\system32\nvrsko.dll
2006-10-04 23:38 253,952 --a------ C:\WINDOWS\system32\e1000msg.dll
2006-10-04 23:38 249,856 --a------ C:\WINDOWS\system32\nvrssv.dll
2006-10-04 23:38 249,856 --a------ C:\WINDOWS\system32\nvrsno.dll
2006-10-04 23:38 249,856 --a------ C:\WINDOWS\system32\nvrsda.dll
2006-10-04 23:38 246,784 --a------ C:\WINDOWS\system32\drivers\iaStor.sys
2006-10-04 23:38 241,664 --a------ C:\WINDOWS\system32\nvrsfi.dll
2006-10-04 23:38 230,400 --a------ C:\WINDOWS\system32\drivers\e1e5132.sys
2006-10-04 23:38 229,376 --a------ C:\WINDOWS\system32\nvmccs.dll
2006-10-04 23:38 217,088 --a------ C:\WINDOWS\system32\nvrszhc.dll
2006-10-04 23:38 212,992 --a------ C:\WINDOWS\system32\nvwrsja.dll
2006-10-04 23:38 21,504 --a------ C:\WINDOWS\system32\NicCo.dll
2006-10-04 23:38 208,896 --a------ C:\WINDOWS\system32\stacapi.dll
2006-10-04 23:38 20,480 --a------ C:\WINDOWS\system32\NicInstE.dll
2006-10-04 23:38 196,608 --a------ C:\WINDOWS\system32\nvwrsko.dll
2006-10-04 23:38 167,936 --a------ C:\WINDOWS\system32\nvwrszht.dll
2006-10-04 23:38 163,840 --a------ C:\WINDOWS\system32\nvwrszhc.dll
2006-10-04 23:38 143,427 --a------ C:\WINDOWS\system32\nvsvc32.exe
2006-10-04 23:38 126,976 --a------ C:\WINDOWS\system32\Prounstl.exe
2006-10-04 23:38 118,784 --a------ C:\WINDOWS\system32\nvrszht.dll
2006-10-04 23:38 112,128 --a------ C:\WINDOWS\system32\staco.dll
2006-10-04 23:38 1,156,648 --a------ C:\WINDOWS\system32\drivers\sthda.sys
2006-10-04 23:37 884,736 --a------ C:\WINDOWS\system32\msimsg.dll
2006-10-04 23:37 78,848 --a------ C:\WINDOWS\system32\msiexec.exe
2006-10-04 23:37 453,120 --a------ C:\WINDOWS\system32\drivers\mrxsmb.sys
2006-10-04 23:37 271,360 --a------ C:\WINDOWS\system32\msihnd.dll
2006-10-04 23:37 2,890,240 --a------ C:\WINDOWS\system32\msi.dll
2006-10-04 23:37 15,360 --a------ C:\WINDOWS\system32\msisip.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-15 15:56 -------- d-------- C:\Program Files\Common Files
2006-10-15 15:29 -------- d-------- C:\Program Files\HijackThis
2006-10-15 11:25 -------- d-------- C:\Program Files\OfficeUpdate11
2006-10-15 11:20 -------- d-------- C:\Program Files\SpywareGuard
2006-10-14 18:35 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-10-14 16:54 -------- d---s---- C:\Documents and Settings\Richard\Application Data\Microsoft
2006-10-14 16:11 -------- d-------- C:\Documents and Settings\Richard\Application Data\Mozilla
2006-10-14 15:51 -------- d-------- C:\Program Files\Ultimate Cleaner
2006-10-14 12:38 -------- d-------- C:\Program Files\Windows Defender
2006-10-14 12:37 -------- d-------- C:\Program Files\QuickTime
2006-10-14 12:36 -------- d-------- C:\Program Files\Internet Explorer
2006-10-14 12:33 -------- d-------- C:\Program Files\BAE
2006-10-13 23:12 -------- d-------- C:\Program Files\XoftSpy
2006-10-13 18:37 -------- d-------- C:\Program Files\NoAdware4
2006-10-13 17:56 -------- d-------- C:\Documents and Settings\Richard\Application Data\Adobe
2006-10-13 17:55 -------- d-------- C:\Program Files\Common Files\Adobe
2006-10-13 17:55 -------- d-------- C:\Program Files\Adobe
2006-10-13 15:38 -------- d-------- C:\Documents and Settings\Richard\Application Data\Help
2006-10-13 15:12 -------- d-------- C:\Program Files\Zone Labs
2006-10-13 11:03 -------- d-------- C:\Documents and Settings\Richard\Application Data\Real
2006-10-13 10:57 -------- d-------- C:\Program Files\Common Files\xing shared
2006-10-13 10:57 -------- d-------- C:\Program Files\Common Files\Real
2006-10-13 09:56 -------- d-------- C:\Program Files\Lavasoft
2006-10-13 09:56 -------- d-------- C:\Documents and Settings\Richard\Application Data\Lavasoft
2006-10-12 21:04 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-12 20:14 -------- d--h----- C:\Documents and Settings\Richard\Application Data\Gtek
2006-10-12 16:39 -------- d-------- C:\Documents and Settings\Richard\Application Data\Canon
2006-10-12 13:37 -------- d-------- C:\Documents and Settings\Richard\Application Data\PIE
2006-10-12 12:15 -------- d-------- C:\Program Files\Canon
2006-10-11 18:57 -------- d-------- C:\Program Files\Microsoft Office 97
2006-10-11 18:57 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-10-11 18:54 -------- d-------- C:\Program Files\Microsoft Office
2006-10-11 18:49 -------- d-------- C:\Program Files\Windows Messaging
2006-10-10 23:04 0 --a------ C:\Documents and Settings\Richard\Application Data\wklnhst.dat
2006-10-10 23:04 -------- d-------- C:\Documents and Settings\Richard\Application Data\Template
2006-10-10 19:48 -------- d-------- C:\Program Files\EPSON
2006-10-10 07:17 -------- d-------- C:\Program Files\Google
2006-10-09 23:38 -------- d-------- C:\Documents and Settings\Richard\Application Data\Sun
2006-10-09 23:34 -------- d-------- C:\Program Files\Common Files\mozilla.org
2006-10-09 23:33 -------- d-------- C:\Program Files\mozilla.org
2006-10-09 22:52 -------- d-------- C:\Documents and Settings\Richard\Application Data\AdobeUM
2006-10-09 22:48 -------- d-------- C:\Documents and Settings\Richard\Application Data\Corel Photo Album
2006-10-09 21:26 -------- d-------- C:\Program Files\Grisoft
2006-10-09 21:26 -------- d-------- C:\Documents and Settings\Richard\Application Data\AVG7
2006-10-09 19:21 -------- d-------- C:\Program Files\Common Files\AOL
2006-10-09 19:20 -------- d-------- C:\Documents and Settings\Richard\Application Data\AOL
2006-10-09 19:16 -------- d-------- C:\Documents and Settings\Richard\Application Data\Macromedia
2006-10-09 19:11 -------- d-------- C:\Documents and Settings\Richard\Application Data\McAfee.com Personal Firewall
2006-10-05 00:07 -------- d-------- C:\Program Files\Microsoft Works
2006-10-05 00:05 -------- d-------- C:\Program Files\Sonic
2006-10-05 00:05 -------- d-------- C:\Program Files\Common Files\Sonic Shared
2006-10-05 00:04 -------- d-------- C:\Program Files\Roxio
2006-10-05 00:04 -------- d-------- C:\Program Files\McAfee
2006-10-05 00:04 -------- d-------- C:\Program Files\Common Files\TiVo Shared
2006-10-05 00:02 -------- d-------- C:\Program Files\Viewpoint
2006-10-05 00:02 -------- d-------- C:\Program Files\Learn2.com
2006-10-05 00:02 -------- d-------- C:\Program Files\Common Files\Nullsoft
2006-10-05 00:02 -------- d-------- C:\Documents and Settings\Richard\Application Data\You've Got Pictures Screensaver
2006-10-05 00:01 -------- d-------- C:\Program Files\Real
2006-10-05 00:00 -------- d-------- C:\Program Files\Windows Media Player
2006-10-05 00:00 -------- d-------- C:\Program Files\Corel Corporation
2006-10-05 00:00 -------- d-------- C:\Program Files\Corel
2006-10-05 00:00 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-10-05 00:00 -------- d-------- C:\Program Files\Common Files\Corel
2006-10-05 00:00 -------- d-------- C:\Documents and Settings\Richard\Application Data\Corel
2006-10-04 23:59 -------- d-------- C:\Documents and Settings\Richard\Application Data\Symantec
2006-10-04 23:58 -------- d-------- C:\Program Files\Wanadoo Europe
2006-10-04 23:58 -------- d-------- C:\Program Files\Tiscali
2006-10-04 23:58 -------- d-------- C:\Program Files\Symantec
2006-10-04 23:58 -------- d-------- C:\Program Files\InterActual
2006-10-04 23:58 -------- d-------- C:\Program Files\Dell
2006-10-04 23:57 -------- d-------- C:\Program Files\Intel
2006-10-04 23:57 -------- d-------- C:\Program Files\Common Files\Roxio Shared
2006-10-04 23:55 -------- d-------- C:\Program Files\Sigmatel
2006-10-04 23:54 -------- d-------- C:\Program Files\Outlook Express
2006-10-04 23:54 -------- d-------- C:\Program Files\Common Files\System
2006-10-04 23:53 -------- d-------- C:\Program Files\Messenger
2006-10-04 23:53 -------- d-------- C:\Program Files\Java
2006-10-04 23:52 -------- d-------- C:\Program Files\Common Files\Java
2006-09-13 06:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-08-25 16:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-23 00:13 11776 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-08-21 13:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 10:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 10:14 128896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-16 12:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll
2006-08-16 10:37 225664 --a------ C:\WINDOWS\system32\drivers\tcpip6.sys
2006-07-27 14:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 09:24 72704 --a------ C:\WINDOWS\system32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"RealPlayer"="\"C:\\Program Files\\Real\\RealPlayer\\realplay.exe\" /RunUPGToolCommandReBoot"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"SigmatelSysTrayApp"="stsystra.exe"
"IAAnotif"="C:\\Program Files\\Intel\\Intel Matrix Storage Manager\\Iaanotif.exe"
"DMXLauncher"="C:\\Program Files\\Dell\\Media Experience\\DMXLauncher.exe"
"ISUSPM Startup"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\isuspm.exe\" -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
@=""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"DLA"="C:\\WINDOWS\\System32\\DLA\\DLACTRLW.EXE"
"MSKDetectorExe"="C:\\Program Files\\McAfee\\SpamKiller\\MSKDetct.exe /uninstall"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"Corel Photo Downloader"="C:\\Program Files\\Corel\\Corel Photo Album 6\\MediaDetect.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,86,01,00,00,00,00,00,00,78,02,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{0E24427B-DF2A-40EB-980B-A819F5FF3DD0}"=""
"{81559C35-8464-49F7-BB0E-07A383BEF910}"="SpywareGuard"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\Spybot - Search & Destroy - Scheduled Task.job

Completion time: 06-10-15 15:57:01.25
C:\ComboFix.txt ... 06-10-15 15:57


HIJACK THIS LOG (run after Reboot)
----------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 16:05:17, on 15/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Office 97\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office 97\Office\MSOFFICE.EXE
C:\Program Files\Microsoft Office 97\Office\OSA.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\showme.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=0061005
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.co.uk/hws/sb/dell-usuk/e...html?channel=uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.euro.dell.com/content/default....;l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/default....;l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.co.uk/hws/sb/dell-usuk/e...html?channel=uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=0061005
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office 97\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office 97\Office\MSOFFICE.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office 97\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...871/mcfscan.cab
O18 - Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - C:\Program Files\Tiscali\Tiscali Internet\dlls\tiscalifilter.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#10 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:17 PM

Posted 15 October 2006 - 10:12 AM

Hey there Priston,

Please download the Suspicious File Packer from here:
http://www.safer-networking.org/files/sfp.zip
Unzip it to the desktop and run it.

Paste the following bold part into the Suspicious File Packer window:

C:\WINDOWS\system32\pdhvzdd.dll
C:\WINDOWS\unvise32qt.exe


Allow SFP to pack the file. This will generate a CAB archive on your desktop.
Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to the second field and browse to the CAB archive that was been created on your desktop.
The cab file will be called requested-files[*].cab (the * stands for the date and hour).
Then click the Send File button below.
Please let me know when you have submitted the files.

Please delete this folder:
C:\Program Files\Viewpoint

Please let me know when you have submitted the files.

#11 Priston

Priston
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:17 PM

Posted 15 October 2006 - 11:49 AM

Thanks David

Suspicious files submitted and C:\Program Files\Viewpoint folder deleted (and Recycle bin emptied)

#12 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:17 PM

Posted 15 October 2006 - 12:07 PM

Ok, I had a look at the files, one of them is legitimate whilst the other is malicous.
Please navigate to the following file and delete it:
C:\WINDOWS\system32\pdhvzdd.dll

I now see clean logs, you're latest Hijackthis log looked fine.
How do you feel the system is running now?

#13 Priston

Priston
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:17 PM

Posted 15 October 2006 - 12:27 PM

David, thanks for latest

C:\WINDOWS\system32\pdhvzdd.dll deleted, Recycle bin emptied and system rebooted.

System seems to be working very well now, no prompts from AVG, Spyware Guard etc

I very much appreciate all your help.

#14 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:17 PM

Posted 15 October 2006 - 03:35 PM

Glad I could help! :thumbsup:
The latest log is looking clean!
Follow this list and your potential for being infected again will be reduced dramatically.

Use an Anti Virus Software -
* It is very important that your computer has an anti-virus software running on your machine.
* This alone can save you a lot of trouble with malware in the future. See this link for a listing of some on line & their stand-alone anti virus programs:
* Click here for more information on -> Computer Safety On line - Anti-Virus
* I would recommend Grisoft's AVG or AVAST.
* These are the more secure and better ones.

Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall -
* I can not stress how important it is that you use a Firewall on your computer.
* Without a firewall your computer is susceptible to being hacked and taken over.
* Simply using a Firewall in its default configuration can lower your risk greatly.
* For an article on Firewalls and a listing of some available ones see the link below:
* Click here for more information on -> Computer Safety On line - Software Firewalls
* I would recommend ZoneAlarm as a firewall as it's easy to use.

Visit Microsoft's Windows Update Site Frequently -
* It is important that you visit http://www.windowsupdate.com regularly.
* This will ensure your computer has always the latest security updates available installed on your computer.
* If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Next, if they're not already present, I would recommend the download and installation of some or all of the following programs (all free), and the updating of them regularly

Install Spybot© - Search and Destroy- Install and download Spybot - Search and Destroy with its TeaTimer option.
* This will provide real-time spyware & hijacker protection on your computer alongside your virus protection.
* You should also scan your computer with program on a regular basis just as you would an anti virus software.
* A tutorial on installing & using this product can be found here:
* Click here for more info -->Instructions for - Spybot S & D and Ad-aware

Install Lavasofts© Ad-Aware - Install and download Ad-Aware.
* You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot.
* A tutorial on installing & using this product can be found here:
* Click here for more info -->Instructions for - Spybot S & D and Ad-aware

Install Javacools© SpywareBlaster -
* SpywareBlaster will added a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
* A article on anti-malware products with links for this program and others can be found here:
* Click here for more info -->Computer Safety on line - Anti-Malware

Update all these programs regularly - Make sure you update all the programs I have listed regularly.
Without regular updates you WILL NOT be protected when new malicious programs are released.

If you have any addition questions just ask...
David

#15 Priston

Priston
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:17 PM

Posted 15 October 2006 - 04:44 PM

Thanks v much. I have been incredibly impressed by BleepingComputer,com in general, and your assistance in particular. It is very heartening that although there are some people who spend their time writing malicious software, there are others who spend their own time helping sort out the problems.

Donation on the way!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users